Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi

Overview

General Information

Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
Analysis ID:1501044
MD5:5175e85febed10fd772ee10d682946aa
SHA1:655d4204fd1b86a5a619eebc2c210a4a0c03a0ba
SHA256:44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
Tags:msi
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7008 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7144 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1196 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E4354813AFA0493C076A96F1473927A1 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 6024 cmdline: rundll32.exe "C:\Windows\Installer\MSI264A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973750 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3848 cmdline: rundll32.exe "C:\Windows\Installer\MSI2A13.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974843 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Windows\Installer\MSI3C45.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5979234 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7192 cmdline: rundll32.exe "C:\Windows\Installer\MSI5698.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5985984 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6632 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D2A93337BD56D0126E460CB8ACC61589 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 5960 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6324 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 1508 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 3912 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="wupdate10hotmail.com" /CompanyId="3" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LYyQnIAL" /AgentId="62ae0c2e-ffb4-481a-8335-a07d991966c0" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 1464 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AF7E4A1B0B1155AB835243F849AD2B99 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 5436 cmdline: rundll32.exe "C:\Windows\Installer\MSI3699.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6043765 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8000 cmdline: rundll32.exe "C:\Windows\Installer\MSI3E3B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6045265 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 3444 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 1612 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7560 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LYyQnIAL MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7648 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LYyQnIAL MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7836 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7904 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageAgentInformation.exe (PID: 7764 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LYyQnIAL MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 4076 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LYyQnIAL MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7924 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 8020 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 3164 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LYyQnIAL MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4336 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7364 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageUpgradeAgent.exe (PID: 7540 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LYyQnIAL MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 2344 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 7584 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LYyQnIAL MD5: 1EB3651F13B9CFC3D055419FD7E51BF0)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSTRemote.exe (PID: 6392 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LYyQnIAL MD5: 00A4D22D776D110ADCC63F0C567131C6)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 6672 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LYyQnIAL MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 7860 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LYyQnIAL MD5: C0C8815ACF3A7BD323512DFEA1B0ABF0)
      • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageProgramManagement.exe (PID: 8132 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LYyQnIAL MD5: 6E034C46991A649567D61B8124D6E59F)
      • conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSystemTools.exe (PID: 5052 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LYyQnIAL MD5: 26E9CCE4BD85A1FCACBF03A8C3F3DDCA)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 8084 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 6356 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 7556 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
    • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF33240F6687B6B9EE.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DF20A3BE0DDB7494A9.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 79 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000016.00000002.2222994795.00000204008F6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000001D.00000002.2652951278.00000043399E9000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000029.00000002.2808155599.00000185432A2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 340 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      60.2.AgentPackageSystemTools.exe.1f3ecde0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        45.2.AgentPackageTicketing.exe.1e702a10000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          45.2.AgentPackageTicketing.exe.1e702a10000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            47.0.AgentPackageSTRemote.exe.22f57fc0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              45.0.AgentPackageTicketing.exe.1e702220000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 14 entries

                                Sigma Signatures

                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7836, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7904, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D2A93337BD56D0126E460CB8ACC61589 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6632, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 5960, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D2A93337BD56D0126E460CB8ACC61589 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6632, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 5960, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 6356, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for submitted file
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiReversingLabs: Detection: 21%
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiVirustotal: Detection: 15%Perma Link
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1544BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,33_2_00007FFDF1544BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1544E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,33_2_00007FFDF1544E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1544DE0 CryptReleaseContext,33_2_00007FFDF1544DE0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: Binary string: \mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Options/netstandard2.1-Release/Microsoft.Extensions.Options.pdb source: Microsoft.Extensions.Options.dll.29.dr
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002D.00000000.2436396451.000001E702222000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdbVN$! source: rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2025861405.000002DF3C412000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3043844550.000001E702A32000.00000002.00000001.01000000.00000052.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2587520528.000001FA27AB6000.00000002.00000001.01000000.00000049.sdmp, AgentPackageSystemTools.exe, 0000003C.00000002.2583145852.000001F3ECDE2000.00000002.00000001.01000000.00000045.sdmp
                                Source: Binary string: t.pdb source: AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2775900357.000001852A37E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2164484533.00000230A56A2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000031.00000002.2527434692.00000297FB322000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: b.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2557336050.000002573D98E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: dows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000031.00000002.2535588367.00000297FB712000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 0000002D.00000002.3043844550.000001E702A32000.00000002.00000001.01000000.00000052.sdmp
                                Source: Binary string: ent.pdb0P source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2554470723.000002573D812000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2376150586.00000187F04F2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdbu source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000036.00000000.2478544507.000001FA27192000.00000002.00000001.01000000.0000002F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2586073421.000001FA27A72000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2165093862.00000230A57E2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2616967072.000000000782F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.57.dr
                                Source: Binary string: e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb| source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbs source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdbC source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2781574533.000001852A932000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: ?4nC:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2611165258.0000000000E07000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000021.00000002.2164484533.00000230A56A2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2025861405.000002DF3C412000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2587520528.000001FA27AB6000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbviderp source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432DA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll5.29.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll5.29.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Options/netstandard2.1-Release/Microsoft.Extensions.Options.pdbSHA256 source: Microsoft.Extensions.Options.dll.29.dr
                                Source: Binary string: \??\C:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdb source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709B4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000021.00000002.2165093862.00000230A57E2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2613592612.000000000352D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595592547.000000000352C000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: HP(n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2611165258.0000000000E07000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb9ki # source: rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbH source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.41.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb^ source: rundll32.exe, 0000003B.00000002.2613592612.000000000352D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595592547.000000000352C000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2557336050.000002573D956000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000031.00000000.2460220681.00000297E2222000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb]kM ' source: rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2376150586.00000187F04F2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166762577.00000230A5AF2000.00000002.00000001.01000000.00000022.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2165991306.00000230A5982000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Queryable\4.0.1.0\System.Linq.Queryable.pdb source: System.Linq.Queryable.dll.29.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026566391.000002DF54C12000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2454217453.0000023C015E0000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026566391.000002DF54C12000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166762577.00000230A5AF2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2454217453.0000023C015E0000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb!* source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2781574533.000001852A932000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000033.00000000.2467778137.0000025724702000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000031.00000002.2535588367.00000297FB712000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000033.00000002.2554470723.000002573D812000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2616967072.000000000782F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2508621713.0000025724B72000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1907649344.00000145EED02000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1907649344.00000145EED02000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBPu]y1 source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdba^{^ m^_CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000033.00000002.2508621713.0000025724B72000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.41.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000031.00000002.2527434692.00000297FB322000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: dows\dll\System.pdb]kM ' source: rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002D.00000000.2436396451.000001E702222000.00000002.00000001.01000000.00000027.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B401FFFh12_2_00007FFD9B401FAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B401873h12_2_00007FFD9B40172D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B401A44h12_2_00007FFD9B401A34
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E4ECBh13_2_00007FFD9B3E4C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1873h13_2_00007FFD9B3E0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E227Bh13_2_00007FFD9B3E0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3FBD72h13_2_00007FFD9B3FBB1E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E4ECBh13_2_00007FFD9B3E4E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B40BDE2h29_2_00007FFD9B40BB8E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F4ECBh29_2_00007FFD9B3F4C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F4ECBh29_2_00007FFD9B3F4E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B614869h29_2_00007FFD9B614764
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B612AE0h29_2_00007FFD9B612839
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax29_2_00007FFD9B611B84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax29_2_00007FFD9B611B51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F1873h29_2_00007FFD9B3F0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F227Bh29_2_00007FFD9B3F0C58

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 20.37.139.187 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 45.2.AgentPackageTicketing.exe.1e702a10000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.2df3bae0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 54.2.AgentPackageProgramManagement.exe.1fa40b80000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 40.119.152.241 40.119.152.241
                                Source: Joe Sandbox ViewIP Address: 35.157.63.227 35.157.63.227
                                Source: Joe Sandbox ViewIP Address: 20.37.139.187 20.37.139.187
                                Source: Joe Sandbox ViewIP Address: 192.229.221.95 192.229.221.95
                                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D77E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.2/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D258430000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D25836A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.8/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AteraAgent.exe, 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000004.00000002.1841281458.00000000051B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004905000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C5CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400953000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E3C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308D3EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2473754658.0000022F58A78000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000031.00000002.2508586406.00000297E2D55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27D98000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004FB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004FB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agentapigateway-us.centralus.cloudapp.azure.com
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.nuget.org
                                Source: rundll32.exe, 00000004.00000002.1841281458.00000000051B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78A4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004905000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C5CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400953000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E3C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308D3EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2473754658.0000022F58A78000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000031.00000002.2508586406.00000297E2D55000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F0250000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D27091B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, System.Linq.Queryable.dll.29.dr, Pubnub.dll0.1.dr, BouncyCastle.Crypto.dll.41.dr, Newtonsoft.Json.dll5.29.dr, Microsoft.Extensions.Options.dll.29.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021C
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021C.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258129000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2580B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375796595.00000187F0292000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270907000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA40/ki
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2708CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABF0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABEC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, System.Linq.Queryable.dll.29.dr, Pubnub.dll0.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F018D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F00A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026768522.000002DF54D42000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2229758897.0000020418F5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000003.2145956769.00000230BEC5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000003.2145013771.00000230BEC23000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000002.2146884514.00000230BEC5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000003.2145378206.00000230BEC2B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D27091B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2649011701.000001FA406AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micron
                                Source: AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2649011701.000001FA40673000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicS
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F0250000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D27091B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, System.Linq.Queryable.dll.29.dr, Pubnub.dll0.1.dr, BouncyCastle.Crypto.dll.41.dr, Newtonsoft.Json.dll5.29.dr, Microsoft.Extensions.Options.dll.29.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE43F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE45D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375796595.00000187F0292000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlk
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2708CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABF0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABEC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, System.Linq.Queryable.dll.29.dr, Pubnub.dll0.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2767552688.000001D270350000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2167854461.00000230A69E0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000028.00000003.2458325669.00000163ABAFD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000028.00000002.2464469789.00000163ABAFD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000028.00000003.2457492781.00000163ABACA000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000028.00000003.2456685513.00000163ABAC3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABF0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432AE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABEC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432DA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2775900357.000001852A37E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3423566244.000001E71B430000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2492743084.0000022F711DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000031.00000002.2528909120.00000297FB4E1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2561695236.000001FA27294000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2649011701.000001FA40673000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlocalLow
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE43F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE465000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258129000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2580B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375796595.00000187F0292000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270907000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlk
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/l
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cs2.wpc.gammacdn.net
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F00A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F00A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enM
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25820E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuite.zip
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuitex64.zip
                                Source: Newtonsoft.Json.dll5.29.drString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://learn-powershell.net/2013/02/08/powershell-and-events-object-events/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2642788295.000001FA40222000.00000002.00000001.01000000.0000004A.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://mirrors.kernel.org/sourceware/cygwin/
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://nsis.sourceforge.net/Docs/AppendixD.html
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/A
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375796595.00000187F0292000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F018D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F00A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026768522.000002DF54D42000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2229758897.0000020418F5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000003.2145956769.00000230BEC5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000003.2145013771.00000230BEC23000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000002.2146884514.00000230BEC5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001C.00000003.2145378206.00000230BEC2B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D27091B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F0250000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D27091B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, System.Linq.Queryable.dll.29.dr, Pubnub.dll0.1.dr, BouncyCastle.Crypto.dll.41.dr, Newtonsoft.Json.dll5.29.dr, Microsoft.Extensions.Options.dll.29.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2708CE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABF0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABEC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, System.Linq.Queryable.dll.29.dr, Pubnub.dll0.1.drString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2
                                Source: AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD6D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D2708CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlFPj
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852ABC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F013C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://poshcode.org/2513
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://poshcode.org/417
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://powershell.com/cs/blogs/tips/archive/2009/02/05/validating-a-url.aspx
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25820E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://pwnt.co
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://rawcdn.githack.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257B71000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2473754658.0000022F58A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000031.00000002.2508586406.00000297E2C50000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://somehwere/something.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImage.ps1
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImagex64.ps1
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalid
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalidUAttempting
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stackoverflow.com/a/13571471/18475
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40D91000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stackoverflow.com/a/15281070/18475
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40D91000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stanislavs.org/stopping-command-line-applications-programatically-with-ctrl-c-events-from-net
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar-1.8.3.msi
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar64-1.8.3.msi
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2164838253.00000230A5742000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmp, UnInstall-ChocolateyZipPackage.ps1.54.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258129000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2580B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907844185.00000145EEF4C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2375796595.00000187F0292000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://www.gnu.org/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodes
                                Source: AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27E2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA280FB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400979000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.Pro
                                Source: rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.57.drString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400979000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2473754658.0000022F58A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.57.drString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageSTRemote.exe, 0000002F.00000002.2473754658.0000022F58A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRemoteToolStatusWithAccount
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageInternalPoller.exe, 00000031.00000002.2508586406.00000297E2C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/62ae0c2e-ffb4-481a-8335-a07d99196
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400979000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400793000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400979000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/62ae0c2e-ffb4-481a-8335-a07d991966c0
                                Source: rundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1841281458.00000000051D6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004926000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://agent.azureserviceprofiler.net/
                                Source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://agent.azureserviceprofiler.net/p
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuH
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://bit.ly/1duJ9bM).
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://bit.ly/1g0R3Os).
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://bitbucket.org/jonforums/uru)
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://ch0.co/moderation
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://ch0.co/nexus2apikey).
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://ch0.co/packages_config
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org).
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org/9https://push.chocolatey.org/Chttps://community.chocolatey.org/Qhttps://commu
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org/compare
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org/compare.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org/comparekThis
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27E2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/comparex7
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://chocolatey.org/contact.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org)
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA281BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/8
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/h
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/p
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages)
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages).
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages/autohotkey.portable
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum)
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages/chocolatey-core.extension
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages/pik)
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://community.chocolatey.org/packages?q=id%3A.extension
                                Source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureservi
                                Source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://dc.services.visualstudio.com/f
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/commands/uninstall
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/setup#non-administrative-install
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/community-packages-disclaimer
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/moderation/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages)
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-exclude-executables-from-getting-s
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-set-up-shims-for-applications-that
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#package-icon-guidelines
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateyunzipp
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateywebfile
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidth
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-toolslocation
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-binfile
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyfileassociation
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyinstallpackage
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypath
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcut
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyvsixpackage
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/start-chocolateyprocessasadmin
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-binfile
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/extensions
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/private-cdn.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/getting-started#overriding-default-install-directory-or-other-adva
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templates
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/mount-an-iso-in-chocolatey-package
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument#step-3---use-core-c
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/information/legal.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/troubleshooting
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.nuget.org/create/Nuspec-Reference.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#creating-prerelease-packages
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#specifying-version-ranges-in-.nuspec-files
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40D91000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599
                                Source: AgentPackageOsUpdates.exe, 00000033.00000002.2554470723.000002573D812000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026566391.000002DF54C12000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166762577.00000230A5AF2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2454217453.0000023C015E0000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll5.29.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/choco/blob/bfe351b7d10c798014efe4bfbb100b171db25099/src/chocolatey/inf
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/1800#issuecomment-484293844.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/new/choose.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmp, UnInstall-ChocolateyZipPackage.ps1.54.drString found in binary or memory: https://github.com/chocolatey/chocolatey
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-coreteampackages
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-test-environment
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-workshop
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/chocolatey/shimgen/tree/master/shim.
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Extensions.Options.dll.29.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2376150586.00000187F04F2000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 00000031.00000002.2535588367.00000297FB712000.00000002.00000001.01000000.00000040.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licensedpackages.chocolatey.org/api/v2/
                                Source: AgentPackageSTRemote.exe, 0000002F.00000000.2438833308.0000022F57FC2000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166705879.00000230A5AE8000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258430000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2583AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHb
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D77E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D258430000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D2583AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAge
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgen
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257DA4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?nipvP0
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D258430000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMark
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?nipv
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?nipvP
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.9/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257DA4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D25836A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSys
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D2583AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?nip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip?nipvP0h
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 0000002F.00000000.2438833308.0000022F57FC2000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageSTRemote.exe, 0000002F.00000000.2438833308.0000022F57FC2000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257BEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5b4410f5-0f2e-4bd3-a963-23525d683552
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=85a79db5-0658-46a6-80ce-729a85dc4fcb
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a1d1d947-27a0-4e72-b4f5-f35d13fc8697
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cae67bb8-5b70-4c17-b4f7-6778efac0f0f
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257BEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d1fb1cee-fe06-447f-b4c9-6316106e98fa
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d396c248-6ee3-4c2f-b43b-7ca1410ef556
                                Source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/62ae0c2e
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D77F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/62ae0c2e-ffb4-481a-8335
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://push.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://push.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmp, checksum.license.txt.54.drString found in binary or memory: https://raw.github.com/ferventcoder/checksum/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_install.gif
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gif
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_search.gif
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_uninstall.gif
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_upgrade.gif
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/chocopro_install_stopped.gif
                                Source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://rt.services.visualstudio.com/p
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://sevenzip.osdn.jp/chm/general/formats.htm
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somelocation.com/
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somelocation.com/thefile.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somewhere.com/file-x64.msi
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somewhere.com/file.msi
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somewhere.com/file.mst
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somewhere/bob-x64.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somewhere/bob.exe
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://somewhere/out/there.msi
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2167502718.00000230A5C14000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AteraAgent.exe, 0000000D.00000002.2376410802.00000187F05E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp, AgentPackageSystemTools.exe, 0000003C.00000000.2539693932.000001F3ECA72000.00000002.00000001.01000000.00000041.sdmp, AgentPackageSystemTools.exe, 0000003C.00000002.2553475532.000001F380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiString found in binary or memory: https://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpString found in binary or memory: https://www.howsmyssl.com/
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: Newtonsoft.Json.dll5.29.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2166705879.00000230A5AE8000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026566391.000002DF54C12000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166762577.00000230A5AF2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2454217453.0000023C015E0000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll5.29.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2179975053.00007FFDF16D4000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b2502.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI264A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A13.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C45.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3E3A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3E3B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3EB9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F75.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b2504.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b2504.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5698.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b2505.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3699.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3E3B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B66.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7328.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7348.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI752D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7628.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9114.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9115.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI91A3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9201.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b2511.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b2511.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A7E.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI264A.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_04F776784_3_04F77678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_04F700404_3_04F70040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04B250B85_3_04B250B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04B259A85_3_04B259A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04B24D685_3_04B24D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B40C92212_2_00007FFD9B40C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B40BB7612_2_00007FFD9B40BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3E0C5813_2_00007FFD9B3E0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B401BEE13_2_00007FFD9B401BEE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3FCAF813_2_00007FFD9B3FCAF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B40387013_2_00007FFD9B403870
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3FC94013_2_00007FFD9B3FC940
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3F1CE013_2_00007FFD9B3F1CE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3EC50013_2_00007FFD9B3EC500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3E9AF213_2_00007FFD9B3E9AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3F900E13_2_00007FFD9B3F900E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3FCF5813_2_00007FFD9B3FCF58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6052E513_2_00007FFD9B6052E5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F189513_2_00007FFD9B5F1895
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F650B13_2_00007FFD9B5F650B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5FF8E713_2_00007FFD9B5FF8E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6052C813_2_00007FFD9B6052C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F268313_2_00007FFD9B5F2683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F470613_2_00007FFD9B5F4706
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5FDF0D13_2_00007FFD9B5FDF0D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6052E013_2_00007FFD9B6052E0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06C2767816_3_06C27678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06C2004016_3_06C20040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F03FD20_2_00007FFD9B3F03FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3DE12020_2_00007FFD9B3DE120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D182820_2_00007FFD9B3D1828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D785620_2_00007FFD9B3D7856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D860220_2_00007FFD9B3D8602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D11CF20_2_00007FFD9B3D11CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D11FA20_2_00007FFD9B3D11FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E103020_2_00007FFD9B3E1030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F3AF322_2_00007FFD9B3F3AF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B41C9D822_2_00007FFD9B41C9D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F888622_2_00007FFD9B3F8886
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F190D22_2_00007FFD9B3F190D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B414F7D22_2_00007FFD9B414F7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F401022_2_00007FFD9B3F4010
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3FCCF922_2_00007FFD9B3FCCF9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3FC36F22_2_00007FFD9B3FC36F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F12C022_2_00007FFD9B3F12C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F963222_2_00007FFD9B3F9632
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B4164C022_2_00007FFD9B4164C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B4059D122_2_00007FFD9B4059D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B414C7822_2_00007FFD9B414C78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F11FA22_2_00007FFD9B3F11FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F073022_2_00007FFD9B3F0730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3E190D24_2_00007FFD9B3E190D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3E11CF24_2_00007FFD9B3E11CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3E11FA24_2_00007FFD9B3E11FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B411FAD29_2_00007FFD9B411FAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B40CEA029_2_00007FFD9B40CEA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B3F9EDF29_2_00007FFD9B3F9EDF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B401D8B29_2_00007FFD9B401D8B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B40CD8029_2_00007FFD9B40CD80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B413CD029_2_00007FFD9B413CD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B40D2E029_2_00007FFD9B40D2E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B3F608529_2_00007FFD9B3F6085
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B40943629_2_00007FFD9B409436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B61D16129_2_00007FFD9B61D161
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B61B7EF29_2_00007FFD9B61B7EF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B609E9D29_2_00007FFD9B609E9D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B610E6E29_2_00007FFD9B610E6E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B613C5029_2_00007FFD9B613C50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B6199E129_2_00007FFD9B6199E1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B60695029_2_00007FFD9B606950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B60AF9829_2_00007FFD9B60AF98
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B608FED29_2_00007FFD9B608FED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B6174B829_2_00007FFD9B6174B8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B3F0C5829_2_00007FFD9B3F0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15BB88033_2_00007FFDF15BB880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF16701E033_2_00007FFDF16701E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF16620E033_2_00007FFDF16620E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF166696033_2_00007FFDF1666960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15311B033_2_00007FFDF15311B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF159F1B033_2_00007FFDF159F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15C917033_2_00007FFDF15C9170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15AF22033_2_00007FFDF15AF220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF164320033_2_00007FFDF1643200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF16650F033_2_00007FFDF16650F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15593D033_2_00007FFDF15593D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15CB37033_2_00007FFDF15CB370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF160F3E033_2_00007FFDF160F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153D28433_2_00007FFDF153D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153F34033_2_00007FFDF153F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15CD35033_2_00007FFDF15CD350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF154564033_2_00007FFDF1545640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF159B64733_2_00007FFDF159B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157F63033_2_00007FFDF157F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153D63433_2_00007FFDF153D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15374B033_2_00007FFDF15374B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153347433_2_00007FFDF1533474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153955C33_2_00007FFDF153955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF167F79033_2_00007FFDF167F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF158F78033_2_00007FFDF158F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157D77033_2_00007FFDF157D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF168184033_2_00007FFDF1681840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF154D83033_2_00007FFDF154D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF16256D033_2_00007FFDF16256D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15D169033_2_00007FFDF15D1690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15D772033_2_00007FFDF15D7720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15A36E033_2_00007FFDF15A36E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF159B9F033_2_00007FFDF159B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15918DA33_2_00007FFDF15918DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF155D91033_2_00007FFDF155D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1579BA033_2_00007FFDF1579BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF161DB8033_2_00007FFDF161DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1673C2033_2_00007FFDF1673C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF155BBE033_2_00007FFDF155BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1565AD033_2_00007FFDF1565AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1569A6033_2_00007FFDF1569A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15E7A6033_2_00007FFDF15E7A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1597B3033_2_00007FFDF1597B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15D3AF033_2_00007FFDF15D3AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1545E5033_2_00007FFDF1545E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1563E1033_2_00007FFDF1563E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF161BCD033_2_00007FFDF161BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF160DCC033_2_00007FFDF160DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1607D2033_2_00007FFDF1607D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1579CF033_2_00007FFDF1579CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1537EC033_2_00007FFDF1537EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15CFED033_2_00007FFDF15CFED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15E5EA033_2_00007FFDF15E5EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15D7EA033_2_00007FFDF15D7EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15B3EB033_2_00007FFDF15B3EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1577E7033_2_00007FFDF1577E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15C5F2033_2_00007FFDF15C5F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1547F3033_2_00007FFDF1547F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1569F3033_2_00007FFDF1569F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF158FEF033_2_00007FFDF158FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15A224033_2_00007FFDF15A2240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15EC22033_2_00007FFDF15EC220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15CA0C033_2_00007FFDF15CA0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15D40A033_2_00007FFDF15D40A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15BC11033_2_00007FFDF15BC110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15D22B033_2_00007FFDF15D22B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF155033033_2_00007FFDF1550330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF155231033_2_00007FFDF1552310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15F831033_2_00007FFDF15F8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15DA2F033_2_00007FFDF15DA2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF16505D033_2_00007FFDF16505D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15385D433_2_00007FFDF15385D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15EA5D033_2_00007FFDF15EA5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF166E5B033_2_00007FFDF166E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF161659033_2_00007FFDF1616590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15EE59033_2_00007FFDF15EE590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15B060033_2_00007FFDF15B0600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15444DC33_2_00007FFDF15444DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15964A033_2_00007FFDF15964A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15B455033_2_00007FFDF15B4550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153A52433_2_00007FFDF153A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF158051033_2_00007FFDF1580510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153E80C33_2_00007FFDF153E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15CA7E033_2_00007FFDF15CA7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF166C68033_2_00007FFDF166C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF154E72033_2_00007FFDF154E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF154273833_2_00007FFDF1542738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF158E99033_2_00007FFDF158E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1538A3C33_2_00007FFDF1538A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15328C033_2_00007FFDF15328C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15888A033_2_00007FFDF15888A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF154886033_2_00007FFDF1548860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15F686033_2_00007FFDF15F6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF162691033_2_00007FFDF1626910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1588B9033_2_00007FFDF1588B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15DCC0033_2_00007FFDF15DCC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1556A8033_2_00007FFDF1556A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1578A6033_2_00007FFDF1578A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15FAA7033_2_00007FFDF15FAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15ACB5033_2_00007FFDF15ACB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF161AB0033_2_00007FFDF161AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1534DB433_2_00007FFDF1534DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF166CD6033_2_00007FFDF166CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1590E3033_2_00007FFDF1590E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1546CC033_2_00007FFDF1546CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157ACD033_2_00007FFDF157ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1664C8033_2_00007FFDF1664C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1680D3033_2_00007FFDF1680D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15B6D2033_2_00007FFDF15B6D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15F8D2033_2_00007FFDF15F8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15A4D0033_2_00007FFDF15A4D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15CEFD033_2_00007FFDF15CEFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157AFB033_2_00007FFDF157AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1542F8C33_2_00007FFDF1542F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157902033_2_00007FFDF1579020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153CEA833_2_00007FFDF153CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF155CE7033_2_00007FFDF155CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B400FAA33_2_00007FFD9B400FAA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B3FEEAD33_2_00007FFD9B3FEEAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B3FF73D33_2_00007FFD9B3FF73D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B400FDE33_2_00007FFD9B400FDE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B3FBD5133_2_00007FFD9B3FBD51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B3FCD4D33_2_00007FFD9B3FCD4D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B3F6D0E33_2_00007FFD9B3F6D0E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B612AEB33_2_00007FFD9B612AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B613D6733_2_00007FFD9B613D67
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B61240833_2_00007FFD9B612408
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B61E2D833_2_00007FFD9B61E2D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B61130A33_2_00007FFD9B61130A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B6131C633_2_00007FFD9B6131C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B61EFA833_2_00007FFD9B61EFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B61604033_2_00007FFD9B616040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B61ACF833_2_00007FFD9B61ACF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72841933_2_00007FFD9B728419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72644D33_2_00007FFD9B72644D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7292B033_2_00007FFD9B7292B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B712ACC33_2_00007FFD9B712ACC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B71F2CD33_2_00007FFD9B71F2CD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B710A0933_2_00007FFD9B710A09
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7258E733_2_00007FFD9B7258E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B71D81133_2_00007FFD9B71D811
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72103733_2_00007FFD9B721037
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B71403D33_2_00007FFD9B71403D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72975133_2_00007FFD9B729751
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72C5CF33_2_00007FFD9B72C5CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72455733_2_00007FFD9B724557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7234B133_2_00007FFD9B7234B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B710B9F33_2_00007FFD9B710B9F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7162B533_2_00007FFD9B7162B5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7281BD33_2_00007FFD9B7281BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7210A833_2_00007FFD9B7210A8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B72876533_2_00007FFD9B728765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B727D5033_2_00007FFD9B727D50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B719D6E33_2_00007FFD9B719D6E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7334A033_2_00007FFD9B7334A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7E946333_2_00007FFD9B7E9463
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7EF44333_2_00007FFD9B7EF443
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7EF37833_2_00007FFD9B7EF378
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7EA1BB33_2_00007FFD9B7EA1BB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7E0A9733_2_00007FFD9B7E0A97
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7F55F833_2_00007FFD9B7F55F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7F31F033_2_00007FFD9B7F31F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7FE33B33_2_00007FFD9B7FE33B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7F633833_2_00007FFD9B7F6338
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7F714333_2_00007FFD9B7F7143
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7F7E6833_2_00007FFD9B7F7E68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B7FE48E33_2_00007FFD9B7FE48E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF16806B0 appears 145 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1681B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1681D30 appears 114 times
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiBinary or memory string: OriginalFilenamewixca.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@105/627@0/9
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2316:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7784:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1524:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5076:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7528:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_chocolatey.log
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7568:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1340:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1420:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6408:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1448:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\Global\{bd59231e-97d1-4fc0-a975-80c3fed498b7}
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1860:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7564:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_choco.summary.log
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6820:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF1D775E85030B078D.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI264A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973750 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308D421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308D421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiReversingLabs: Detection: 21%
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiVirustotal: Detection: 15%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E4354813AFA0493C076A96F1473927A1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI264A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973750 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2A13.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974843 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3C45.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5979234 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D2A93337BD56D0126E460CB8ACC61589 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="wupdate10hotmail.com" /CompanyId="3" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LYyQnIAL" /AgentId="62ae0c2e-ffb4-481a-8335-a07d991966c0"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5698.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5985984 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7E4A1B0B1155AB835243F849AD2B99 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3699.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6043765 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3E3B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6045265 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E4354813AFA0493C076A96F1473927A1Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D2A93337BD56D0126E460CB8ACC61589 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="wupdate10hotmail.com" /CompanyId="3" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LYyQnIAL" /AgentId="62ae0c2e-ffb4-481a-8335-a07d991966c0"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7E4A1B0B1155AB835243F849AD2B99 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI264A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973750 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2A13.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974843 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3C45.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5979234 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5698.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5985984 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3699.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6043765 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3E3B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6045265 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: smphost.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mispace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sxshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmiclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: clusapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cscapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fmifs.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ulib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ifsutil.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: healthapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: healthapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsp_fs.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sscore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntdsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsp_sr.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: tdh.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsp_health.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: healthapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: healthapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: healthapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: healthapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: \mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Options/netstandard2.1-Release/Microsoft.Extensions.Options.pdb source: Microsoft.Extensions.Options.dll.29.dr
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002D.00000000.2436396451.000001E702222000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdbVN$! source: rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2025861405.000002DF3C412000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3043844550.000001E702A32000.00000002.00000001.01000000.00000052.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2587520528.000001FA27AB6000.00000002.00000001.01000000.00000049.sdmp, AgentPackageSystemTools.exe, 0000003C.00000002.2583145852.000001F3ECDE2000.00000002.00000001.01000000.00000045.sdmp
                                Source: Binary string: t.pdb source: AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2775900357.000001852A37E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2164484533.00000230A56A2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000031.00000002.2527434692.00000297FB322000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: b.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2557336050.000002573D98E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: dows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000031.00000002.2535588367.00000297FB712000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 0000002D.00000002.3043844550.000001E702A32000.00000002.00000001.01000000.00000052.sdmp
                                Source: Binary string: ent.pdb0P source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2554470723.000002573D812000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2376150586.00000187F04F2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdbu source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000036.00000000.2478544507.000001FA27192000.00000002.00000001.01000000.0000002F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2586073421.000001FA27A72000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2165093862.00000230A57E2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2616967072.000000000782F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.57.dr
                                Source: Binary string: e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb| source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbs source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdbC source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2781574533.000001852A932000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: ?4nC:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2611165258.0000000000E07000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000021.00000002.2164484533.00000230A56A2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2025861405.000002DF3C412000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2587520528.000001FA27AB6000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbviderp source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432DA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll5.29.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2179677636.00007FFDF168A000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll5.29.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Options/netstandard2.1-Release/Microsoft.Extensions.Options.pdbSHA256 source: Microsoft.Extensions.Options.dll.29.dr
                                Source: Binary string: \??\C:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdb source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709B4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000021.00000002.2165093862.00000230A57E2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2613592612.000000000352D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595592547.000000000352C000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: HP(n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2611165258.0000000000E07000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmp, AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb9ki # source: rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbH source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.41.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb^ source: rundll32.exe, 0000003B.00000002.2613592612.000000000352D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595592547.000000000352C000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2557336050.000002573D956000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2613315327.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595777359.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000031.00000000.2460220681.00000297E2222000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb]kM ' source: rundll32.exe, 0000003B.00000003.2610744416.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2376150586.00000187F04F2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166762577.00000230A5AF2000.00000002.00000001.01000000.00000022.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2165991306.00000230A5982000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Queryable\4.0.1.0\System.Linq.Queryable.pdb source: System.Linq.Queryable.dll.29.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026566391.000002DF54C12000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2454217453.0000023C015E0000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026566391.000002DF54C12000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166762577.00000230A5AF2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2454217453.0000023C015E0000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb!* source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2781574533.000001852A932000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000033.00000000.2467778137.0000025724702000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000031.00000002.2535588367.00000297FB712000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000033.00000002.2554470723.000002573D812000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2616967072.000000000782F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000033.00000002.2508621713.0000025724B72000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1907649344.00000145EED02000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1907649344.00000145EED02000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBPu]y1 source: AgentPackageUpgradeAgent.exe, 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdba^{^ m^_CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000033.00000002.2508621713.0000025724B72000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.41.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000031.00000002.2527434692.00000297FB322000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: dows\dll\System.pdb]kM ' source: rundll32.exe, 0000003B.00000002.2613632394.0000000003542000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002D.00000000.2436396451.000001E702222000.00000002.00000001.01000000.00000027.sdmp
                                Source: BouncyCastle.Crypto.dll.1.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1541910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,33_2_00007FFDF1541910
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_04F74ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_04F74ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B400AF2 pushad ; ret 13_2_00007FFD9B400AF9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3FE257 push ebx; iretd 13_2_00007FFD9B3FE25A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6052E5 push es; iretd 13_2_00007FFD9B605587
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F180C push eax; ret 13_2_00007FFD9B5F1824
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F02C1 push eax; ret 13_2_00007FFD9B5F02E4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F5E84 push eax; ret 13_2_00007FFD9B5F5EB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F0AF1 push eax; ret 13_2_00007FFD9B5F0B14
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_047E57B8 push es; ret 16_3_047E5840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_047E4E9C push es; ret 16_3_047E4EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06C284A1 push es; ret 16_3_06C284B0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06C24ECF push dword ptr [esp+ecx*2-75h]; ret 16_3_06C24ED3
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06C218F0 push es; ret 16_3_06C21900
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06C21961 push es; ret 16_3_06C21970
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3DD5C9 push ds; retf 5F55h20_2_00007FFD9B3DD92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D00BD pushad ; iretd 20_2_00007FFD9B3D00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E55BB push esp; iretd 20_2_00007FFD9B3E55D9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B407C2E pushad ; retf 22_2_00007FFD9B407C5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F00BD pushad ; iretd 22_2_00007FFD9B3F00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3E00BD pushad ; iretd 24_2_00007FFD9B3E00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B406BD3 pushad ; iretd 29_2_00007FFD9B406C19
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B3FA658 push eax; retf 29_2_00007FFD9B3FA669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B3FA652 push eax; retf 29_2_00007FFD9B3FA669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B4025F2 push eax; iretd 29_2_00007FFD9B402671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 29_2_00007FFD9B600F64 push eax; ret 29_2_00007FFD9B600F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF156FAB0 push rbp; ret 33_2_00007FFDF156FAB1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1558961 push r8; ret 33_2_00007FFDF1558963
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B404BD9 push ecx; retf 33_2_00007FFD9B404BDB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B3F8426 push eax; ret 33_2_00007FFD9B3F846D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B612408 push es; ret 33_2_00007FFD9B612557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFD9B71D3F9 pushad ; ret 33_2_00007FFD9B71D409

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile created: 5b250e.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msimsg.dll5b2509.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F75.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3EB9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7348.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5b250b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3E3B.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A7E.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3699.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI264A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C45.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B66.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5b250d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A13.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI91A3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7628.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI752D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9115.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5b250c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msimsg.dll5b250f.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9201.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5698.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A7E.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A13.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI752D.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B66.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msimsg.dll5b2509.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3699.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9201.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3EB9.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5698.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F75.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI91A3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI264A.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C45.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7628.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3E3B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7348.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9115.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5698.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C45.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3E3B.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msimsg.dll5b250f.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,33_2_00007FFDF153A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 145ECB60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 145EE490000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 187D6F70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 187EF630000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2DF3BF00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2DF544A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20400510000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20418700000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22B13A20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22B2C110000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1D257AA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1D26FB70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2308CE40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 230A4E80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1EBD66A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1EBEEA40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1852A2B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 18542A90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 23C01010000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 23C196E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1E7029D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1E71AAD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 22F58310000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 22F70990000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 297E2590000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 297FAC30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 25724970000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 2573D150000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 1FA27940000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 1FA3FB10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 1F3ECDB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 1F3ED480000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599532
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599407
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599435
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598354
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598248
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598095
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597809
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597698
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597569
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597439
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596976
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596543
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596432
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596306
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596169
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595934
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594662
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594513
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594100
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593977
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593725
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593432
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592966
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592858
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592699
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592481
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591909
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591784
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591423
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591298
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590622
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590132
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2993
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6679
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 2632
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 6017
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 5394
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1486
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1877
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1549
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 5628
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 4004
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 1328
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 5b250e.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5698.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3E3B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3699.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A13.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3F75.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5698.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3E3B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3EB9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3699.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7348.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C45.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 5b250b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3699.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI264A.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI264A.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C45.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3E3B.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9A7E.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3699.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI264A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C45.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C45.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6B66.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5698.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A13.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 5b250d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A13.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI91A3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI264A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7628.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3E3B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI752D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9115.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 5b250c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msimsg.dll5b250f.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9201.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5698.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A13.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 4588Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5356Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3748Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6232Thread sleep count: 2993 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6232Thread sleep count: 6679 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7240Thread sleep count: 33 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7240Thread sleep time: -30437127721620741s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7288Thread sleep time: -110000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7300Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7284Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7332Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7624Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7604Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7864Thread sleep count: 2632 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7864Thread sleep count: 6017 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -16602069666338586s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599532s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599407s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599282s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -599063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598938s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -598110s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597985s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -597110s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596985s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5944Thread sleep time: -596110s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1888Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7700Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7832Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7980Thread sleep count: 5394 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7980Thread sleep count: 4118 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8152Thread sleep count: 34 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8152Thread sleep time: -31359464925306218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8188Thread sleep time: -250000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1260Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8184Thread sleep time: -270000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6096Thread sleep count: 1486 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1856Thread sleep count: 1877 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6048Thread sleep time: -13835058055282155s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6048Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6204Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6404Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1528Thread sleep count: 1549 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1528Thread sleep count: 272 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7032Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7548Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3520Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7516Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7640Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4608Thread sleep count: 5628 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep count: 37 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -34126476536362649s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -599840s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -599594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -599435s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -599219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -599063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4608Thread sleep count: 4004 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598354s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598248s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -598095s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597809s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597698s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597569s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597439s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597313s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -597093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596976s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596543s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596432s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596306s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596169s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -596046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595934s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595609s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -595016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594891s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594662s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594513s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594249s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -594100s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593977s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593725s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593432s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -593093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592966s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592858s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592699s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592590s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592481s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -592031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -591909s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -591784s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -591656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -591547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -591423s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -591298s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -590860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -590622s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -590313s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1720Thread sleep time: -590132s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6564Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6512Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7120Thread sleep count: 190 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 2300Thread sleep count: 104 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7076Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 7808Thread sleep count: 241 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 2136Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 7264Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 1664Thread sleep count: 1328 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 2024Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 1716Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 4956Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7864Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 7224Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599532
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599407
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599435
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598354
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598248
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598095
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597809
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597698
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597569
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597439
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596976
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596543
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596432
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596306
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596169
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595934
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594662
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594513
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594100
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593977
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593725
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593432
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592966
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592858
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592699
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592481
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591909
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591784
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591423
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591298
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590622
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590132
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2564370071.000001EBEF516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222699435.00000204006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppedl
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2221692229.00000204005F0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000024.00000002.2557354955.000001EBEF3B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000023.00000002.3037503161.0000025A3B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A#
                                Source: svchost.exe, 00000023.00000002.3037662955.0000025A3B2BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +@"VMware"42624
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2564370071.000001EBEF516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE465000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2371925166.00000187EFD6D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F018D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2373366773.00000187F0105000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2808155599.00000185432A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2229295879.0000020418F09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                                Source: svchost.exe, 00000023.00000002.3037986565.0000025A3B2CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@friendlyname"vmware virtual disk"
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^/
                                Source: svchost.exe, 00000023.00000002.3037503161.0000025A3B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2564370071.000001EBEF516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2231410404.000002047FD84000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000024.00000002.2509151088.000001EBD6459000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000023.00000003.2176103010.0000025A3B61A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: svchost.exe, 00000023.00000002.3037662955.0000025A3B2B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @friendlyname"vmware virtual disk"OCALE
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2555598687.000001EBEF38F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2555598687.000001EBEF38F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2164295061.00000230A5672000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000023.00000002.3037151173.0000025A3B24D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2555598687.000001EBEF38F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: rundll32.exe, 00000004.00000002.1840352017.00000000033BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: svchost.exe, 00000023.00000002.3037014531.0000025A3B213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: E45D1A0VMwareVirtual disk0
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service@a>
                                Source: AgentPackageProgramManagement.exe, 00000036.00000002.2646156772.000001FA403B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrrJ*
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2221692229.00000204005F0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000024.00000002.2557354955.000001EBEF3B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222584329.0000020400692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222584329.0000020400692000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2555598687.000001EBEF38F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000023.00000002.3037151173.0000025A3B24D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^/
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222699435.00000204006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStoppedr
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2555598687.000001EBEF39A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                                Source: svchost.exe, 00000023.00000002.3037503161.0000025A3B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disks;Z
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222699435.00000204006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2509151088.000001EBD6459000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedl!
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: svchost.exe, 00000023.00000002.3037064782.0000025A3B22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: svchost.exe, 00000023.00000002.3036913101.0000025A3B200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN
                                Source: rundll32.exe, 00000010.00000002.1960480565.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2026768522.000002DF54CC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2165282034.00000230A5896000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2807789707.0000018543294000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2492743084.0000022F711DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000031.00000002.2528909120.00000297FB4E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2613592612.000000000352D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2595592547.000000000352C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3423566244.000001E71B430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2231410404.000002047FD84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2221692229.00000204005F0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000024.00000002.2557354955.000001EBEF3B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: svchost.exe, 00000023.00000002.3037503161.0000025A3B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2164295061.00000230A5672000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222584329.0000020400692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^/
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2222699435.00000204006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2564370071.000001EBEF516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll18}:
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000023.00000002.3037151173.0000025A3B24D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000023.00000003.2505673538.0000025A3B2E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000C.00000002.1907230385.00000145EE412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`R<
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2221692229.00000204005F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: AgentPackageAgentInformation.exe, 00000024.00000002.2557354955.000001EBEF3B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped#
                                Source: svchost.exe, 00000023.00000002.3037064782.0000025A3B22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0s
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1541910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,33_2_00007FFDF1541910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,33_2_00007FFDF157B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1541910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,33_2_00007FFDF1541910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF1537A84 GetProcessHeap,33_2_00007FFDF1537A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_00007FFDF153ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 20.37.139.187 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="wupdate10hotmail.com" /CompanyId="3" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LYyQnIAL" /AgentId="62ae0c2e-ffb4-481a-8335-a07d991966c0"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LYyQnIAL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="wupdate10hotmail.com" /companyid="3" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000lyyqnial" /agentid="62ae0c2e-ffb4-481a-8335-a07d991966c0"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagesystemtools\agentpackagesystemtools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/production 443 or8ixli90mf "probe" 001q300000lyyqnial
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="wupdate10hotmail.com" /companyid="3" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000lyyqnial" /agentid="62ae0c2e-ffb4-481a-8335-a07d991966c0"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagesystemtools\agentpackagesystemtools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/production 443 or8ixli90mf "probe" 001q300000lyyqnial
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153739C cpuid 33_2_00007FFDF153739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI264A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2A13.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2A13.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3C45.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5698.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5698.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3699.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3E3B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3E3B.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF153CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,33_2_00007FFDF153CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF15385D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,33_2_00007FFDF15385D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 60.2.AgentPackageSystemTools.exe.1f3ecde0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 45.2.AgentPackageTicketing.exe.1e702a10000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 47.0.AgentPackageSTRemote.exe.22f57fc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 45.0.AgentPackageTicketing.exe.1e702220000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.2.AgentPackageAgentInformation.exe.2df3c410000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.2df3bae0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 54.0.AgentPackageProgramManagement.exe.1fa27190000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.145ec800000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 60.0.AgentPackageSystemTools.exe.1f3eca70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 33.0.AgentPackageMonitoring.exe.2308c630000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 45.2.AgentPackageTicketing.exe.1e702a30000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 33.2.AgentPackageMonitoring.exe.230a5670000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 41.0.AgentPackageUpgradeAgent.exe.1852a080000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageOsUpdates.exe.25724b70000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.0.AgentPackageOsUpdates.exe.25724700000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.0.AgentPackageInternalPoller.exe.297e2220000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000016.00000002.2222994795.00000204008F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2652951278.00000043399E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2808155599.00000185432A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D27097F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359065524.00000187D6FD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2156062555.000002308C7FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2436037477.0000023C00DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2775900357.000001852A332000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464955727.0000022F5819C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2167737905.00000230A67C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2156062555.000002308C7B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.000001458017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2646156772.000001FA403E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464955727.0000022F581D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357762230.00000187D6DB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2167560660.00000230A65B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1907844185.00000145EEF68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2146773092.00000230BEBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257E36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464955727.0000022F5821D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2767552688.000001D270396000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2066213265.0000022B14183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2064957753.0000022B13868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2356504332.0000003FA2EF5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231410404.000002047FD45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2498753242.0000025724950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2496331390.00000297E2300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2496331390.00000297E230C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2761532899.000001EEB5A5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231410404.000002047FD1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2508621713.0000025724B72000.00000002.00000001.01000000.00000039.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2473754658.0000022F58AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2584738823.000001EBEF61A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2509151088.000001EBD63D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2656573181.000001D25757C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D7B6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.0000020400793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2066213265.0000022B14193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2517339397.000001EBD6A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906573647.00000145ECAD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357586706.00000187D6BF0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464955727.0000022F58190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2371925166.00000187EFD3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2561695236.000001FA27294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D2708CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464955727.0000022F581DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2371925166.00000187EFDCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.0000020400925000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2472978790.0000013F8935B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000003.2057786344.0000018AF64C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906573647.00000145ECA10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000000.2539693932.000001F3ECA72000.00000002.00000001.01000000.00000041.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2712411884.000001EEB63BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2167592950.00000230A67B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2147967705.0000018AF63AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3038271119.000001E70234C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2708574073.000001EEB62F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231410404.000002047FD3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357762230.00000187D6D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.00000145800B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2164295061.00000230A5672000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2516099692.000001EBD66C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.00000257251D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2528909120.00000297FB4E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025970680.000002DF3C4A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2147967705.0000018AF63A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2165282034.00000230A5830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2762831476.000001EEB5A72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2473754658.0000022F58991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2560612876.000001EBEF430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2156062555.000002308C770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2167854461.00000230A6A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2781184859.000001852A535000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2472978790.0000013F89350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2066016562.0000022B13A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.0000014580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906573647.00000145ECA9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3038271119.000001E702366000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2472978790.0000013F89373000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2775900357.000001852A33E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2064957753.0000022B13860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2165282034.00000230A5896000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231410404.000002047FDDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.000002572569D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2436037477.0000023C00DA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.0000014580089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231410404.000002047FD84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2561695236.000001FA2722B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231410404.000002047FD00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.0000020400CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025257696.000002DF3BC63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D25836A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2561170507.000001F3ECBEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2583145852.000001F3ECDE2000.00000002.00000001.01000000.00000045.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.0000020400979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2517339397.000001EBD6A87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2436037477.0000023C00DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2528909120.00000297FB55A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2561695236.000001FA27210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2499259169.000002572499C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2656573181.000001D257548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2473754658.0000022F58A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1907844185.00000145EEF2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2566497144.000001EBEF531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1907587048.00000145EEC70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257DA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.000001458008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2499259169.0000025724A1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.00000257253B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1908595752.00007FFD9B494000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2456771902.0000023C016E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2456771902.0000023C01763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2557336050.000002573D956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3038271119.000001E702381000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2808155599.00000185432AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2357762230.00000187D6D6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025257696.000002DF3BCAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2436037477.0000023C00E26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D258430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3043844550.000001E702A32000.00000002.00000001.01000000.00000052.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2156062555.000002308C77C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2656573181.000001D257540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2496331390.00000297E2340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2371925166.00000187EFD6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.000002040085E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906573647.00000145ECA70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2762831476.000001EEB5A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906435479.00000145EC9A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA27DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2231076704.00000204190B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.0000025725340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3035848311.00000098004F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2528909120.00000297FB53F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2221692229.00000204005F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2655340408.000001D257380000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000000.2467778137.0000025724702000.00000002.00000001.01000000.0000002C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2561170507.000001F3ECC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3038271119.000001E7023CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2561695236.000001FA27218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2783811676.000001852AD12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2775900357.000001852A37E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA27DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.00000257251C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000000.2478544507.000001FA27192000.00000002.00000001.01000000.0000002F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA27C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3038271119.000001E702340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2147967705.0000018AF63C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025970680.000002DF3C513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D77E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D270907000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2158512868.000002308CE81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2761629412.000001EEB5A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2454010327.0000023C01090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D2581CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000000.2460220681.00000297E2222000.00000002.00000001.01000000.0000002B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2496331390.00000297E2345000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464814597.0000022F58170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2499259169.00000257249D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000000.2438833308.0000022F57FC2000.00000002.00000001.01000000.00000028.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2504151986.00000297E2570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2756326038.000001EEB62F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2761904787.000001EEB5A7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2656573181.000001D257565000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2806851557.0000018543268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2473654300.0000013F895C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2647618595.0000004338105000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2783811676.000001852AC04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2649011701.000001FA40620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2229047623.0000020418ED2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA281BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906573647.00000145ECA50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D2708B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000003.2761479064.000001EEB63BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2561170507.000001F3ECBE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D76B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2148045831.0000018AF64A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA280FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2775534910.000001852A30F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2496331390.00000297E238D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2157381543.000002308C980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2509151088.000001EBD6459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2232462680.000002047FFC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D25820E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2509151088.000001EBD63D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2554679620.000001EBEF370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2656189028.000001D257530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2773443849.000001852A2E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000003.2390457528.0000013F895E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.0000014580132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025709684.000002DF3BF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D258129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2066213265.0000022B14111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2156062555.000002308C7BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.00000145800B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2155901664.000002308C720000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2762958866.000001EEB63BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2580782027.000001F3ECD20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257F22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2561695236.000001FA2724D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2517339397.000001EBD6AB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2583833655.000001FA275A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2179889539.00007FFDF16C9000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1906573647.00000145ECA16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2436037477.0000023C00DDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2561170507.000001F3ECC6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2553475532.000001F380001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025861405.000002DF3C412000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2644987662.000001FA40350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2509151088.000001EBD640B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3044688006.000001E702B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2373366773.00000187F0105000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D2582B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2774357619.000001852A2F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D2580B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025257696.000002DF3BC20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2064957753.0000022B1389A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3044688006.000001E702E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2508586406.00000297E2C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2808015256.000001854329E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2373366773.00000187F00A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2561695236.000001FA27251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025257696.000002DF3BC61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2557336050.000002573D938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.0000025725246000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2464955727.0000022F581B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000000.2436396451.000001E702222000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2499259169.0000025724990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3042576232.000001E702610000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.000002572568A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2592249923.000001FA27E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2463113691.00000163ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2158512868.000002308D421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3423566244.000001E71B430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2767552688.000001D270350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2663679651.000001D2583AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2064957753.0000022B138E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2513968127.0000025725151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2517339397.000001EBD6C18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6024, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3748, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 3912, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 3444, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7192, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7560, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7648, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7764, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7836, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7904, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7924, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 4076, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3164, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 4336, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7364, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7540, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7556, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 7584, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 6392, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 6672, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 7860, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2344, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageProgramManagement.exe PID: 8132, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5436, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSystemTools.exe PID: 5052, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF33240F6687B6B9EE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF20A3BE0DDB7494A9.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1B46B0D5C1119819.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF36FDFBBA3E53577F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF519946364BE93146.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1591E8985252195A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF533C0A14230452D9.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI9114.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\08-29-2024 04_34_23-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF04AD7AF9A69DBE6F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB319C87D74F5AC11.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDED6DBFC236D96A7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3E3A.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI7328.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF63C46A253E291BD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\5b2508.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCA1F7B08DDD54517.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCCE0A42FD3B63322.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1D775E85030B078D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\5b2510.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF55953B35FD07CE90.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\08-29-2024 04_34_22-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\5b2503.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF67AE738D5B83914E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF317748A319DD3D03.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1EB00227774853C0.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 33_2_00007FFDF157B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,33_2_00007FFDF157B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS165
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials571
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem361
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt361
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501044 Sample: SecuriteInfo.com.Program.Re... Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 147 Multi AV Scanner detection for submitted file 2->147 149 Yara detected AteraAgent 2->149 151 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 2->151 153 6 other signatures 2->153 8 AteraAgent.exe 2->8         started        13 msiexec.exe 173 118 2->13         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 139 18.239.36.2 AMAZON-02US United States 8->139 93 C:\...\System.Management.dll, PE32 8->93 dropped 95 C:\...95ewtonsoft.Json.dll, PE32 8->95 dropped 97 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->97 dropped 105 303 other malicious files 8->105 dropped 161 Installs Task Scheduler Managed Wrapper 8->161 19 AgentPackageProgramManagement.exe 8->19         started        23 AgentPackageUpgradeAgent.exe 8->23         started        36 7 other processes 8->36 99 C:\Windows\...\msimsg.dll5b250f.rbf (copy), PE32 13->99 dropped 101 C:\Windows\...\msimsg.dll5b2509.rbf (copy), PE32 13->101 dropped 103 C:\Windows\Installer\MSI9A7E.tmp, PE32 13->103 dropped 107 58 other files (46 malicious) 13->107 dropped 26 msiexec.exe 13->26         started        28 AteraAgent.exe 13->28         started        30 msiexec.exe 13->30         started        32 msiexec.exe 13->32         started        141 20.37.139.187 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->141 143 18.161.180.6 MIT-GATEWAYSUS United States 15->143 145 35.157.63.227 AMAZON-02US United States 15->145 109 27 other malicious files 15->109 dropped 163 Creates files in the system32 config directory 15->163 165 Reads the Security eventlog 15->165 167 Reads the System eventlog 15->167 38 5 other processes 15->38 34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 75 C:\Program Files (x86)\...\shimgen.exe, PE32 19->75 dropped 77 C:\Program Files (x86)\...\checksum.exe, PE32 19->77 dropped 87 13 other malicious files 19->87 dropped 155 Creates files in the system32 config directory 19->155 40 conhost.exe 19->40         started        131 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->131 79 C:\...\System.ValueTuple.dll, PE32 23->79 dropped 81 C:\Program Files (x86)\...\Pubnub.dll, PE32 23->81 dropped 83 C:\...83ewtonsoft.Json.dll, PE32 23->83 dropped 89 4 other malicious files 23->89 dropped 50 2 other processes 23->50 42 rundll32.exe 26->42         started        52 3 other processes 26->52 133 199.232.210.172 FASTLYUS United States 28->133 135 192.229.221.95 EDGECASTUS United States 28->135 91 2 other malicious files 28->91 dropped 157 Reads the Security eventlog 28->157 159 Reads the System eventlog 28->159 46 rundll32.exe 30->46         started        48 rundll32.exe 30->48         started        55 2 other processes 32->55 137 152.199.23.209 EDGECASTUS United States 36->137 85 C:\...\TicketingTray.exe (copy), PE32 36->85 dropped 57 8 other processes 36->57 59 6 other processes 38->59 file9 signatures10 process11 dnsIp12 111 C:\Windows\Installer\...111ewtonsoft.Json.dll, PE32 42->111 dropped 113 C:\...\AlphaControlAgentInstallation.dll, PE32 42->113 dropped 121 2 other files (none is malicious) 42->121 dropped 169 System process connects to network (likely due to code injection or exploit) 42->169 115 C:\Windows\Installer\...115ewtonsoft.Json.dll, PE32 46->115 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 46->117 dropped 123 2 other files (none is malicious) 46->123 dropped 125 4 other files (2 malicious) 48->125 dropped 129 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->129 119 C:\Windows\Installer\...119ewtonsoft.Json.dll, PE32 52->119 dropped 127 11 other files (5 malicious) 52->127 dropped 61 conhost.exe 55->61         started        63 net1.exe 55->63         started        65 conhost.exe 55->65         started        67 conhost.exe 57->67         started        69 cscript.exe 57->69         started        71 conhost.exe 59->71         started        73 cscript.exe 59->73         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi21%ReversingLabsWin32.Trojan.Atera
                                SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi15%VirustotalBrowse

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                5b250b.rbf (copy)0%ReversingLabs
                                5b250c.rbf (copy)0%ReversingLabs
                                5b250d.rbf (copy)0%ReversingLabs
                                5b250e.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe17%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                http://www.w3.or0%URL Reputationsafe
                                http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                                http://www.gnu.org/0%Avira URL Cloudsafe
                                http://schemas.datacontract.org0%Avira URL Cloudsafe
                                http://pwnt.co0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip?nipvP0h0%Avira URL Cloudsafe
                                https://ch0.co/packages_config0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/checksum.0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?nipvP00%Avira URL Cloudsafe
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX0%Avira URL Cloudsafe
                                http://www.gnu.org/0%VirustotalBrowse
                                http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
                                https://ch0.co/packages_config0%VirustotalBrowse
                                https://chocolatey.org/contact.0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/checksum.0%VirustotalBrowse
                                https://nlog-project.org/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/track-event0%Avira URL Cloudsafe
                                http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%VirustotalBrowse
                                http://dl.google.com/googletalk/googletalk-setup.exe0%Avira URL Cloudsafe
                                https://nlog-project.org/0%VirustotalBrowse
                                https://chocolatey.org/contact.0%VirustotalBrowse
                                https://agent-api.atera.com/Production/Agent/track-event0%VirustotalBrowse
                                http://schemas.datacontract.org0%VirustotalBrowse
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX0%VirustotalBrowse
                                http://pwnt.co0%VirustotalBrowse
                                https://aka.ms/dotnet/app-launch-failed0%VirustotalBrowse
                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/checksum)0%Avira URL Cloudsafe
                                https://aka.ms/dotnet/app-launch-failed0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP0%Avira URL Cloudsafe
                                http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa0%Avira URL Cloudsafe
                                http://somehwere/something.exe0%Avira URL Cloudsafe
                                http://somewhere123zzaafasd.invalidUAttempting0%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif0%Avira URL Cloudsafe
                                http://schemas.datacontract.org/2004/07/System.ServiceProcess0%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif0%VirustotalBrowse
                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell0%VirustotalBrowse
                                http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa0%VirustotalBrowse
                                https://community.chocolatey.org/packages/checksum)1%VirustotalBrowse
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP0%VirustotalBrowse
                                https://community.chocolatey.org/api/v2/h0%Avira URL Cloudsafe
                                http://dl.google.com/googletalk/googletalk-setup.exe0%VirustotalBrowse
                                https://docs.chocolatey.org/en-us/choco/commands/uninstall0%Avira URL Cloudsafe
                                https://my.splashtop.com/csrs/win0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/h0%VirustotalBrowse
                                https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip0%Avira URL Cloudsafe
                                http://wixtoolset.org0%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=85a79db5-0658-46a6-80ce-729a85dc4fcb0%Avira URL Cloudsafe
                                http://schemas.datacontract.org/2004/07/System.ServiceProcess0%VirustotalBrowse
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au0%VirustotalBrowse
                                https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip0%VirustotalBrowse
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/choco/commands/uninstall0%VirustotalBrowse
                                https://chocolatey.org/compare.0%Avira URL Cloudsafe
                                http://wixtoolset.org0%VirustotalBrowse
                                https://community.chocolatey.org/api/v2/p0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/track-event;0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati0%Avira URL Cloudsafe
                                https://my.splashtop.com/csrs/win0%VirustotalBrowse
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z0%VirustotalBrowse
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller0%Avira URL Cloudsafe
                                http://acontrol.atera.com/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/0%Avira URL Cloudsafe
                                https://chocolatey.org/compare.0%VirustotalBrowse
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati0%VirustotalBrowse
                                https://agent-api.atera.com/Production/Agent/track-event;0%VirustotalBrowse
                                https://agent-api.atera.com/Production/Agent/AgentStarting)0%Avira URL Cloudsafe
                                https://docs.nuget.org/create/Nuspec-Reference.0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip0%VirustotalBrowse
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller0%VirustotalBrowse
                                https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templates0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/p1%VirustotalBrowse
                                https://community.chocolatey.org/api/v2/0%Avira URL Cloudsafe
                                https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureservi0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages).0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/get-toolslocation0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v20%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE0%Avira URL Cloudsafe
                                http://crl3.digicS0%Avira URL Cloudsafe
                                http://acontrol.atera.com/0%VirustotalBrowse
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg0%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gif0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-binfile0%Avira URL Cloudsafe
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.20%Avira URL Cloudsafe
                                https://licensedpackages.chocolatey.org/api/v2/0%Avira URL Cloudsafe
                                https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/autohotkey.portable0%Avira URL Cloudsafe
                                https://gist.github.com/jvshahid/6fb2f91fa7fb1db235990%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg0%Avira URL Cloudsafe
                                https://somewhere/bob.exe0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/thresholds/62ae0c2e-ffb4-481a-8335-a07d991966c00%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/80%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d396c248-6ee3-4c2f-b43b-7ca1410ef5560%Avira URL Cloudsafe
                                https://aka.ms/dotnet/app-launch-failed&gui=trueShowing0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidth0%Avira URL Cloudsafe
                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/62ae0c2e-ffb4-481a-83350%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.gnu.org/AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip?nipvP0hAteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pwnt.coAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch0.co/packages_configAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages/checksum.AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?nipvP0AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://logging.apache.org/log4net/release/faq.html#trouble-EventLogAgentPackageProgramManagement.exe, 00000036.00000002.2642788295.000001FA40222000.00000002.00000001.01000000.0000004A.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org/contact.AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://nlog-project.org/AgentPackageMonitoring.exe, 00000021.00000002.2166705879.00000230A5AE8000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/dotnet/app-launch-failedAteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages/checksum)AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershellAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messaAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://somewhere123zzaafasd.invalidUAttemptingAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://somehwere/something.exeAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gifAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/hAgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/choco/commands/uninstallAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 0000002F.00000000.2438833308.0000022F57FC2000.00000002.00000001.01000000.00000028.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-auAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zipAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://wixtoolset.orgrundll32.exe, 00000003.00000003.1789074978.0000000004F24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.00000000046C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2492428504.000000000470E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2506238221.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msifalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=85a79db5-0658-46a6-80ce-729a85dc4fcbAteraAgent.exe, 0000000D.00000002.2359409965.00000187D7AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org/compare.AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/pAgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000004.00000002.1841281458.00000000051D6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004926000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformatiAteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://acontrol.atera.com/AteraAgent.exe, 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257B71000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/AgentStarting)AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.nuget.org/create/Nuspec-Reference.AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templatesAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257B71000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2473754658.0000022F58A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000031.00000002.2508586406.00000297E2C50000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA281BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureserviAgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages).AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/get-toolslocationAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl3.digicSAteraAgent.exe, 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gifAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-binfileAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://licensedpackages.chocolatey.org/api/v2/AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageTicketing.exe, 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp, AgentPackageSystemTools.exe, 0000003C.00000000.2539693932.000001F3ECA72000.00000002.00000001.01000000.00000041.sdmp, AgentPackageSystemTools.exe, 0000003C.00000002.2553475532.000001F380001000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.orAgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27E2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA280FB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.chocolatey.org/packages/autohotkey.portableAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40D91000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgAteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://somewhere/bob.exeAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/thresholds/62ae0c2e-ffb4-481a-8335-a07d991966c0AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/8AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d396c248-6ee3-4c2f-b43b-7ca1410ef556AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/dotnet/app-launch-failed&gui=trueShowingAteraAgent.exe, 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidthAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/62ae0c2e-ffb4-481a-8335AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D77F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257C1F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackageAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.comrundll32.exe, 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D78A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000021.00000002.2166705879.00000230A5AE8000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txtAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcutAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dc.services.visualstudio.com/fAgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5b4410f5-0f2e-4bd3-a963-23525d683552AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.ohAteraAgent.exe, 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodesAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent.azureserviceprofiler.net/AgentPackageSystemTools.exe, 0000003C.00000002.2585821846.000001F3EDCC2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/.AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://somewhere123zzaafasd.invalidAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/AgentPackageProgramManagement.exe, 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSysAteraAgent.exe, 0000001D.00000002.2663679651.000001D25836A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://api.nuget.orgAgentPackageTicketing.exe, 0000002D.00000002.3044688006.000001E702E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000021.00000002.2166181011.00000230A5A12000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000021.00000002.2167238139.00000230A5BB2000.00000002.00000001.01000000.00000023.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://stexbar.googlecode.com/files/StExBar-1.8.3.msiAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.ateHbAteraAgent.exe, 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000D.00000002.2359409965.00000187D76AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functionsAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.zAteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org).AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/get-chocolateyunzippAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zipAteraAgent.exe, 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://web.ncdc.gov.sa/crl/nrcaparta1.crlAteraAgent.exe, 0000000D.00000002.2373366773.00000187F0138000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/information/legal.AgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/automatic-packagesAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40E04000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://somewhere/bob-x64.exeAgentPackageProgramManagement.exe, 00000036.00000002.2652412729.000001FA40B82000.00000002.00000001.01000000.0000004C.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                40.119.152.241
                                		unknownUnited States
                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                35.157.63.227
                                		unknownUnited States
                                		16509AMAZON-02USfalse
                                20.37.139.187
                                		unknownUnited States
                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                18.161.180.6
                                		unknownUnited States
                                		3MIT-GATEWAYSUSfalse
                                192.229.221.95
                                		unknownUnited States
                                		15133EDGECASTUSfalse
                                152.199.23.209
                                		unknownUnited States
                                		15133EDGECASTUSfalse
                                18.239.36.2
                                		unknownUnited States
                                		16509AMAZON-02USfalse
                                20.60.197.1
                                		unknownUnited States
                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                199.232.210.172
                                		unknownUnited States
                                		54113FASTLYUSfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1501044
                                Start date and time:2024-08-29 10:32:06 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 13m 43s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:62
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winMSI@105/627@0/9
                                EGA Information:
                                • Successful, ratio: 18.2%
                                HCA Information:
                                • Successful, ratio: 67%
                                • Number of executed functions: 443
                                • Number of non-executed functions: 1
                                Cookbook Comments:
                                • Found application associated with file extension: .msi

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7560 because it is empty
                                • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7764 because it is empty
                                • Execution Graph export aborted for target AteraAgent.exe, PID 3444 because it is empty
                                • Execution Graph export aborted for target AteraAgent.exe, PID 3912 because it is empty
                                • Execution Graph export aborted for target AteraAgent.exe, PID 7924 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 3748 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 3848 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 6024 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 7192 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • Skipping network analysis since amount of network traffic is too extensive

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                04:33:14API Interceptor3x Sleep call for process: rundll32.exe modified
                                04:33:17API Interceptor1647x Sleep call for process: AteraAgent.exe modified
                                04:33:32API Interceptor35x Sleep call for process: AgentPackageAgentInformation.exe modified
                                04:33:43API Interceptor16x Sleep call for process: AgentPackageMonitoring.exe modified
                                04:34:16API Interceptor1x Sleep call for process: AgentPackageSTRemote.exe modified
                                04:34:18API Interceptor3343x Sleep call for process: AgentPackageTicketing.exe modified
                                04:34:23API Interceptor16x Sleep call for process: AgentPackageProgramManagement.exe modified
                                04:34:46API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                09:34:12Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                09:35:56AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {ff783edd-4e4e-491d-9d9c-72f3aa70cedf} "C:\ProgramData\Package Cache\{ff783edd-4e4e-491d-9d9c-72f3aa70cedf}\dotnet-runtime-6.0.32-win-x64.exe" /burn.runonce

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                40.119.152.241SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                  4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                    setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                      SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                        Adobe.msiGet hashmaliciousAteraAgentBrowse
                                          SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                            VirginMediaBill26012020.msiGet hashmaliciousGhostRatBrowse
                                              cqIMFiGPGW.msiGet hashmaliciousUnknownBrowse
                                                setup.msiGet hashmaliciousUnknownBrowse
                                                  1.msiGet hashmaliciousUnknownBrowse
                                                    35.157.63.227setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                                      SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                        Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                          VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                            2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                              SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                  1.msiGet hashmaliciousUnknownBrowse
                                                                    XLS_Confirmer.msiGet hashmaliciousUnknownBrowse
                                                                      20.37.139.187AdobeAcrobat2.1.2.msiGet hashmaliciousAteraAgentBrowse
                                                                        440e4d.msiGet hashmaliciousAteraAgentBrowse
                                                                          digitalform.msiGet hashmaliciousAteraAgentBrowse
                                                                            https://ws.onehub.com/files/jgt2zodjGet hashmaliciousAteraAgentBrowse
                                                                              SecuriteInfo.com.Program.RemoteAdminNET.1.9196.7480.msiGet hashmaliciousUnknownBrowse
                                                                                SecuriteInfo.com.Program.RemoteAdminNET.1.5343.8667.msiGet hashmaliciousUnknownBrowse
                                                                                  192.229.221.95AGREEMENT AND APPROVAL REPORT DIAMOND TRAILER 2024-502244_6.5.248.pdfGet hashmaliciousUnknownBrowse
                                                                                  • cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt

                                                                                  Domains

                                                                                  No context

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSOJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
                                                                                  • 52.113.194.132
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.64
                                                                                  http://www.pro-pharma.co.ukGet hashmaliciousUnknownBrowse
                                                                                  • 20.105.232.37
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.67
                                                                                  Order items.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.42
                                                                                  PO 710467.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 20.96.153.111
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  AMAZON-02USOJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
                                                                                  • 52.50.50.234
                                                                                  http://rebrand.lyGet hashmaliciousUnknownBrowse
                                                                                  • 52.217.120.128
                                                                                  quotation.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                  • 13.248.169.48
                                                                                  https://iam.ngscout.org/account/resetpassword?id=d05ffe24-cb73-4f03-bf4f-9e9ff83127f7&code=cc2ff9ab-5352-4ab7-90d6-7459bc6ea5dbGet hashmaliciousUnknownBrowse
                                                                                  • 54.177.56.198
                                                                                  https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousUnknownBrowse
                                                                                  • 3.160.150.40
                                                                                  https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousUnknownBrowse
                                                                                  • 3.160.150.31
                                                                                  https://rtgrents.helplook.com/docs/RTGRENTS?preview=1Get hashmaliciousUnknownBrowse
                                                                                  • 18.245.199.57
                                                                                  https://sjq4p0lz.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.howtogeek.com%2F%3Futm_medium=newsletter%26utm_campaign=HTG-202408281159%26utm_source=HTG-NL%26user=am9obi53aW5kQGVwcmVtaXVtLmNvbQ%26lctg=7c0d2c3042ca45dcc1d0360b05cf7ed73c0a503df62a4d7921a3eb742c01cab5/1/010001919a125aa7-c1b4578c-8e1f-4667-8509-677bedec8ac0-000000/XnQZD8ewfocpYq5Ry0SP_pMdhr0=389Get hashmaliciousUnknownBrowse
                                                                                  • 52.208.228.214
                                                                                  rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                                                                                  • 13.248.169.48
                                                                                  https://rtgrents.helplook.com/docs/RTGRENTS?preview=1Get hashmaliciousHTMLPhisherBrowse
                                                                                  • 13.224.189.93
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSOJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
                                                                                  • 52.113.194.132
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.64
                                                                                  http://www.pro-pharma.co.ukGet hashmaliciousUnknownBrowse
                                                                                  • 20.105.232.37
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.67
                                                                                  Order items.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.42
                                                                                  PO 710467.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 20.96.153.111
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  5b250b.rbf (copy)SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                                                                    4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                                                                      setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                        Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                          SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                                                            forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                              Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                                                                VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                  2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                    2503.msiGet hashmaliciousAteraAgentBrowse

                                                                                                      Created / dropped Files

                                                                                                      5b250a.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1442
                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                      5b250b.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215088
                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, Detection: malicious, Browse
                                                                                                      • Filename: 4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup_it_security (1).msi, Detection: malicious, Browse
                                                                                                      • Filename: Guidelines_for_Citizen_Safety.msi, Detection: malicious, Browse
                                                                                                      • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi, Detection: malicious, Browse
                                                                                                      • Filename: forumapp.msi, Detection: malicious, Browse
                                                                                                      • Filename: Adobe.msi, Detection: malicious, Browse
                                                                                                      • Filename: VANTAGENS_BBCLIENTES00001S4D444400000S.msi, Detection: malicious, Browse
                                                                                                      • Filename: 2cFFfHDG7D.msi, Detection: malicious, Browse
                                                                                                      • Filename: 2503.msi, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                      5b250c.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      5b250d.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602672
                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                      5b250e.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Config.Msi\5b2503.rbs

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8899
                                                                                                      Entropy (8bit):5.665589753045613
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:MjHxz1ccbTOOeMeGT61/7r6IHf/7r6kAVv70HVotBVeZEmzmYpLAV77lXpY92r:MTD2f/p/tiB2iB
                                                                                                      MD5:1B2145A4585895A9AA398E8931905BDB
                                                                                                      SHA1:B0F1DFBAA01FD364FA72B95565F8DA7301917B04
                                                                                                      SHA-256:7FFB4E215C8C6984B2B2B0F8E263CF01A7A1F8697EEA833811C1C1EE91F62F93
                                                                                                      SHA-512:FE55659D7AF0412DF71D465C9920C4BB33972DF3DF9F1780773E832BF1BB6BEAB6635A80B61F7E17C68B411145C94A0A4E03022B6C7B945737BFECF5800D4DAD
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5b2503.rbs, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5b2503.rbs, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5b2503.rbs, Author: Joe Security
                                                                                                      Preview:...@IXOS.@.....@($.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent9.SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-465

                                                                                                      C:\Config.Msi\5b2508.rbs

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9565
                                                                                                      Entropy (8bit):5.572807753314447
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:OjHGBcR7bLCsgRKbLCMDp17qEVl0Q4LALtyD0qagukGGhaKfmbHt1f6SkorEcZ:OTzRDgREdQKKDSNT
                                                                                                      MD5:77BC832121F84AE3CB8A0B8113751CD9
                                                                                                      SHA1:7A46C98B076BF06CF3CBCDAE2CF4756640B5D44C
                                                                                                      SHA-256:9E4D6E4E552CFBABE51008F29DB2D804081EC46C35C3E9BA56F968229455DE38
                                                                                                      SHA-512:3DE7D1D337B53DFE537DE0DAA6FF696BD81F0E88B95DE0EF9747BC9B8B698C66C82E7C638DC4EBDBC7AE7E514A88AEAD67FCC02680C8FA3D56C35F3F9C645DDE
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5b2508.rbs, Author: Joe Security
                                                                                                      Preview:...@IXOS.@.....@R$.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent9.SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\5b2504.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...

                                                                                                      C:\Config.Msi\5b2510.rbs

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8767
                                                                                                      Entropy (8bit):5.654308598224454
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Ey7wo+fncHMez1G6ITG6k7s5VNpkxYpLso:EPo+fncHVGVGtSNpkcP
                                                                                                      MD5:D799F6EE96F68CD62904CAB0E886C5B5
                                                                                                      SHA1:6275D4C5C855023E4F7BFCC65304050F7D1531C3
                                                                                                      SHA-256:DD60B656D1559C2236A69EA598632B45D2A252C81B0D260862F205CC631574E3
                                                                                                      SHA-512:E48BAB2DC75C33F621BE63607302EFC833684D8F0A3853F46E961705B296EED6C59CC44CA5D4910778F5317D5EB4581AAFF14529AECE0D5AF243FC5245E3AC7B
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5b2510.rbs, Author: Joe Security
                                                                                                      Preview:...@IXOS.@.....@U$.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):753
                                                                                                      Entropy (8bit):4.853078320826549
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                      MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                      SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                      SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                      SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                      Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7466
                                                                                                      Entropy (8bit):5.1606801095705865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                      MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                      SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                      SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                      SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):145968
                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1442
                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3318832
                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215088
                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1345342
                                                                                                      Entropy (8bit):7.999087415296336
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:P6qarBXIu143emJM2e03hHsPi7+QfGIjn5xgFxNybKJvTDSJSH:cVI81mOZ8tsu+MjnrAsimY
                                                                                                      MD5:F2E653E517216BAE6EE1866E56C93541
                                                                                                      SHA1:C9CFE52AEA1FC5026437162E5CD6EC5AFDDCDB23
                                                                                                      SHA-256:1A76544543CA4CCDD3981F517E93E316EF3EEFA677ABBDDB19AC94B9AD8EC613
                                                                                                      SHA-512:7AC34473A4B50991344DE76186B249DA8753FE01C4F1C344CF17136D157A8847A34047D1E492BB74F9B877DDDE155D6E503067FEF2DCCED6F7795B5EDEB97DDD
                                                                                                      Malicious:false
                                                                                                      Preview:PK.........:rX................Agent.Package.Availability/PK.........:rXO......L...?...Agent.Package.Availability/Agent.Package.Availability.deps.jsons........&|+.[a....k...F.?.y.ef........N..|..D.....I..;4.p...Q....yQ...v.H..2..BK.<:c...%.u....P6..... .".Lhh.~.. ..,.$OGI.37.P...7.o..4.t?......\.h...i.L..........._.k-JAw..{..<.;1V..bm.....|.q...2...g...Oi..a..Z....Q..&G.........dM......H.^......Gx\n1k....D.^..DA..5.Ou.e@.h.|.g...).}.._J.g.S...z...F..F.'..R..7}!]C.l.n6.O>-...w0.c...`7&P....VY.N.....%.2.....w.,".t4..Yi..<".M..dG.'.5.f/.f.c.uG.xDlo.%..A.....bD3b.dix..O...re.J.}....FO..jE..T.....H.......t.W...N.`..@.K. 7..-4.#..!...%;t*...aM.,2.a...(.Z..E#...g.op.3.p-*"......mh..-h..k|#. M..S)}.).V.Ze.z.8.ku..)u4...Ch.2.D...x.6...~|........|I.8|...S..h.w.N.9..f.i0.R-....Y...q..;3.. J+..N>.....7>....e.R.6'...Q.Mf.?....+w.....Yu..r...L..].H.....N...H...~=Fj....5.....B.D.B..K....<.q.<c...D..j..U.....<..M.....M.Ns..]5.]......W...?J.Z..R.N..."L5.%|hU..n.}..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.deps.json

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32588
                                                                                                      Entropy (8bit):4.9960910032419115
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:YMiXbLuNFLgxnzeynrL390PbFM1Orsc+eQjBy6qY2871Yu9IM8yzI:YHX+CRN0PbG1Orsc7QqYR71YyIM8II
                                                                                                      MD5:30FD970122DC4F600AB043C1F2EAA9DF
                                                                                                      SHA1:73ECB0343F13193E1647169994E856B85B3E8A80
                                                                                                      SHA-256:B9AEC2BF04C19AEDE9F089947337F4A72F4D9D9107499D06489220B78965945A
                                                                                                      SHA-512:070C5B9976289C7EF84D01BCEC81E87B538F0251048FDEAD99EB8CBFC4CCE5AE9F3072D0F5AD79B1BB49CF3C78858581627636035772F875B132044FCBAEA0E3
                                                                                                      Malicious:false
                                                                                                      Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Availability/0.16": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.0.0",.. "MQTTnet": "4.1.2.350",.. "MQTTnet.Extensions.ManagedClient": "4.1.2.350".. },.. "runtime": {.. "Agent.Package.Availability.dll": {}.. }.. },.. "Microsoft.Extensions.Configuration/6.0.0": {.. "dependencies": {.. "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",.. "Microsoft.Extensions.Primitives": "6.0.0".. },.. "runtime": {.. "lib/netstandard2.0/Microsoft.Extensions.Configuration.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.21.52210".. }.. }.. },.. "Microsoft.Extensions.Configuration.Abstractions/6.0.0": {..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64080
                                                                                                      Entropy (8bit):6.320286768676932
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:9pU+qNEN8hGUdlhkjqMCgoGIxBNPlaWxk4TKZ08gDT7iC6gW3GIXtHEje4bEpYin:DU+CkuMChNPlakNcgD8ge1+JU7Hxz1
                                                                                                      MD5:E863A6AB8AA66CDFDB72085FF29C8945
                                                                                                      SHA1:3018DAFFFA623BC8404E1D0AE990B3B58E502455
                                                                                                      SHA-256:8168DF0CFF719BB10F2A03EC220788C931DA3E5EFA02030011AFF5B48F888D36
                                                                                                      SHA-512:62C0623C9E2BD66A3C1469BE3D2B7D36CB52364181D38400A6F27EE0600DA98DE921F49EBCDC2EB6A49D2CC0C2FFE4287D7587020162DEBDD54209CC89108350
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........."...0.................. ........@.. .......................@............`.....................................O.......................P(... ......d................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......8^...z..........L.................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..7.........(....}A......}B......}@.....|A.....(...+..|A...(....*..(....*..0...........(....o.......(....*..(......}......o....r...p(....}....*....0..7.........(....}W......}X......}V.....|W.....(...+..|W...(....*..0..?.........(....}\......}]......}^......}[.....|\.....(...+..|\...( ...*..0..7.........(!...}b......}c......}a.....|b.....(..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):160336
                                                                                                      Entropy (8bit):6.2128348726246605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:6czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGO0kLxD:6A4NCmBPry/N2jOO7r
                                                                                                      MD5:EEB8806784553B29F5E8CE3F3566C452
                                                                                                      SHA1:588702EDD2CAE4FB11558E967BA88F1D4AA0B92E
                                                                                                      SHA-256:AA2322E40481D38DF9976C34A564932262EE08E72FD76465ADBCC04545BEEB8F
                                                                                                      SHA-512:88378E2190D813E788121DB814AC9B49FF12E489780CF46CDA770794D3EDF64075E1C73F2C1EFD29265EE71FDCB13A06A0DE0C29747773636FD3DE28ADA6E2D1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@....................................3.....`.................................................t$...............`..@....J..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14
                                                                                                      Entropy (8bit):3.8073549220576055
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhVLD:WDLD
                                                                                                      MD5:9A7D20AAA012D185DB528C72378B0ACB
                                                                                                      SHA1:CD17C5DDB04E5CBAEBA56BB883B2BD0BF8C529DE
                                                                                                      SHA-256:CBA7D06C662A6601164CBC5A0F4086E247DC1ACA7CCF2F72F4443C88DDB29095
                                                                                                      SHA-512:961707F9926401EED9FDF892484527D253514F336B2AEF0A450184EE125DB940823E933739ABED422BC97B37E4094EFB3C9C355154F86984EB36508ED28BEE90
                                                                                                      Malicious:false
                                                                                                      Preview:version=0.16..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):253
                                                                                                      Entropy (8bit):4.585549446641918
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                      MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                      SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                      SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                      SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                      Malicious:false
                                                                                                      Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):59472
                                                                                                      Entropy (8bit):6.232150161817101
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:W36VpFishtGAb2BAst2t1z2C0qePts2+lpmjouk3KmGT1S3k7ZJSEpYinAMxCcOO:rFan4tkC0qH2ip2ouXm21oGJz7HxnOO
                                                                                                      MD5:2E0FAEE04F8632291F811074ADD4C253
                                                                                                      SHA1:0BAE9ACC374F92683691B335325A88FFA3B4109A
                                                                                                      SHA-256:2CEB68FE0E177998268E78FCB45065A2B53ED4E8E74F751B6AA993CC2AEACDE5
                                                                                                      SHA-512:A312A2B8689202032DDDF5240EF5092977F47BCCF19D0D1568D392EBD51040989453FFF1DB8B7F637E672843E701DD88BEFD80158F3209C089BC08670B7B8B2E
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.%..........." ..0.............Z.... ........... ....................... .......b....`.....................................O.......t...............P(........................................................... ............... ..H............text...`.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................<.......H.......4P................................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{"...*:.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):54352
                                                                                                      Entropy (8bit):6.249382958975322
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:yjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdhEpYinAM8:IPGShI7mW1ZoZrcn0e0oJ4GtuK7Hxe
                                                                                                      MD5:59E6366CBB001376D03B59886F8CC984
                                                                                                      SHA1:A9B93839F4960D0E8CFAAEE15439083615AC14AC
                                                                                                      SHA-256:902725DBF9F7950D1A4A4F0057CAE5E14816F0ED686BF2422C03561AB13DA870
                                                                                                      SHA-512:DC77203DCF26337FA34094F1C954128ECC3C9C72F0F53B46598F6272012749A523AE38C5EE6D55376084568C2D97FB07104EA1D703318231517924FC7BD095D9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............" ..0.............V.... ........... ....................... ............`.....................................O.......x...............P(..............T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................6.......H........Z...c............................................................(....*^.(.......V...%...}....*:.(......}....*:.(......}....*..(......%-.&r...ps....z}......}....*..{....*..{....*v.(......%-.&r...ps....z}....*..{....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*J.(....}.....(....*&..}.....*&..}.....*.0..)........-.r'..ps....zs.......o......o....}.....*..{....-.r7..ps....zs/...%.{....o,...%.{....o....*J.(....}.....(....*...0...........s....}.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):311888
                                                                                                      Entropy (8bit):6.173014844115743
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:+F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jw:+8QLKwPMKGUuBhh33jw
                                                                                                      MD5:6B314E447AD16EF4B8CBAA6CFF589F74
                                                                                                      SHA1:86647A26123AED74F2222E95C310C6186B03908E
                                                                                                      SHA-256:065EAB6C73BD96467BBC02FC3763DA01C7FB7065368C15E93192EA2F71975BE7
                                                                                                      SHA-512:131591A60F8C6251465F8BD103ABD499EDCE850BEE97AFB58A37B2ACFFACFEFDC93EB0EDBBF426220B9C9CAAE0A6212AAD5665A70F913FB96751CBB234A718D4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................f.....`....................................O.......................P(..............T............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..0...........{....-..{....(....,.r...ps....zs....%.{....o....%.{....o....%.{....o....%.{....o....%.{....o....%.{....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26192
                                                                                                      Entropy (8bit):6.56959956590535
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:vm++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWUNyb8E9VF6IYiD:+lso3W7qHypd//SHEpYinAMxCsB
                                                                                                      MD5:568B70E6ACC43FA5D6D1B748323B7100
                                                                                                      SHA1:33C1E279743914ECAAD4BF3F3581D1914260C8F9
                                                                                                      SHA-256:1951AC489A3A924874B67DA82E7DB6C0F4BC599E3C38A8E6EDE0A5C33DD45391
                                                                                                      SHA-512:EAAB9BA61D0ED958C6D1A4DF0E95CE5AE2FFCD6A6E6C9FAE5522902FB72586EE16EEF397D94B3625B820113976ABC8F7DABFB55999B8802988D9B20201BC5C66
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........Q... ...`....... ..............................t.....`................................./Q..O....`...............>..P(...........P..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................cQ......H.......X'...#.......... K..p....O.......................................~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):34896
                                                                                                      Entropy (8bit):6.492292235898413
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:IRnQyuN61yKW1Guh2dIewN3czA8i1KraoAEpYinAMxCU6:IdgA1yKW1L0dkNc081+oJ7Hxw
                                                                                                      MD5:7AEC82F5B955AB320971CF18B13D63E1
                                                                                                      SHA1:C7BDA552D6C44FF7F5546AF6BAEAF0DAB0A6C278
                                                                                                      SHA-256:6D46A7EC7CC3DF3663B359F54F0F7B9B47EFED4AEF728C6DE117091F3838AB9B
                                                                                                      SHA-512:622E1E8373AC5641D0B6C77FF80A422D4A18EED790BBBE675C48A970318736862EFDBE28829A53AA631F8D387A10D14EC86FF748D4F33183CF6D331C47CAC426
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........." ..0..V...........u... ........... ....................................`..................................u..O....................`..P(...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......p/...9..........Hi.......t........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24144
                                                                                                      Entropy (8bit):6.681463392080136
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:T9FrztnCvZrlMIPTlLn9by3WKbW97nW2Nyb8E9VF6IYinAM+oCut8X7De7uA:Tbztn2AmxniKnEpYinAMxCZeX
                                                                                                      MD5:63CC618B9FEC8C9503DE8EDB5B7FE6EE
                                                                                                      SHA1:C994A8DFD89F5C4329744A589D35AF40B610F6B9
                                                                                                      SHA-256:5C5D3B9FAA3E3D3310BEC715473C58D490FD285344B95A381A7F46E19216FE66
                                                                                                      SHA-512:96C4F352951320309EC880F3C8BE6558633226DB577D51A22C7EE7B6EA2CF9960AF3B10D826F59DC80E14350BE684FE0836F1A31B19714C98475633BB3919D1C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.$..........." ..0..,...........K... ...`....... ..............................pu....`.................................uK..O....`...............6..P(..........XJ..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%...............B.......I........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):19536
                                                                                                      Entropy (8bit):6.730982430474166
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:SsGu6f0Ux3STFWUQeWmNyb8E9VF6IYinAM+oC/tUlUK7:SsGuWRTuEpYinAMxCWlUU
                                                                                                      MD5:E82CC9FD71064E072AE181432720A909
                                                                                                      SHA1:22FBE31E07A80B1B8DB0B97A3978ACCBBDBB0455
                                                                                                      SHA-256:842D59E7D1116B4072B2A18667EA381E7D2E449F14CABD89DB495EC3B4E4BEB5
                                                                                                      SHA-512:682DE1D3AAD5E08A78F7B55524B47926BDF2C249ADA483341DCE021BF1C21EF9EC1BD67BEC24230823253ED51251D5F20FA388E055B88CB5BF35275BAABB36B9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3Y..........." ..0.............~8... ...@....... ....................................`.................................+8..O....@...............$..P(...`.......6..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................_8......H........"......................|6......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*J.(.....~....}....*^.(......%-.&~....}....*2.(....(....*..(....o....r...p.{....r...p(....*.0../.......(....s......o.....8.....o.......(....t ........r...p.o ...,.r...p..r7..p..+n.re..p.o ...,.re..p..r...p..+P.r...p.o ...,.r...p..r...p..+2.r...p.o ...,.r...p..+....(......(!...t ...(....+N...o"...o#...(.......r...p.($.....(!...t ...(......,...r...p.r...p(%.....(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27216
                                                                                                      Entropy (8bit):6.556776563317454
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:6Y5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WpNyb8E9VF6IYinAM+oCeB8euvQ7:/rd8Y0wRhzpEpYinAMxCeXL
                                                                                                      MD5:F52ACA731FD999D93962B96D86E6B4FA
                                                                                                      SHA1:BE07B77866379A49FED237471F232CBE348A1BA1
                                                                                                      SHA-256:924B4D2E997C16CE54101D05E8E7298F3D0D0FC9611957CEB5738C7224909DCC
                                                                                                      SHA-512:A5EDE09FAE3ABE0FE68F7D04BFC3A382FD0875BD87F4B80465DDB8C0645E4B9AA9FE6DAC5BE18B1F1E5CA32869E00E481103AD4A308AAE2208F857C90D0F4ACC
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<d..........." ..0..8...........V... ...`....... ..............................S.....`.................................?V..O....`...............B..P(...........U..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................sV......H.......P(...&..........lN..0....T........................................(....*^.(.......,...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26704
                                                                                                      Entropy (8bit):6.562781030074369
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:yI2/cK/FWwbGXC8e1lje1l6RWkb2W+Nyb8E9VF6IYinAM+oCE1sD:yI2/cqFWwSl6hXuEpYinAMxCrD
                                                                                                      MD5:63072DC72E16744763AB647135C09C60
                                                                                                      SHA1:7241FA172D6B5F06AE99FA4112EF981010489797
                                                                                                      SHA-256:5DA668B31F3E78DBCB3FA2D261694944DE451C757D62AD57173EF7B1637DA7D8
                                                                                                      SHA-512:076906EC35DF1550467E4B2B7070D87F2EE84605D595699E9BC0376681A5637BBB9EC1B1A0933419EDC81F807637767D68ACD1ECAFF0EAAFCADE425DCDD0D762
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^............" ..0..6...........T... ...`....... ....................................`................................./T..O....`..l............@..P(.......... S..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............>..............@..B................cT......H.......|'..t#...........J.......R........................................(....*^.(.......6...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..( ...*.*.(....,.r...p......%...%...(....*...(!...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25680
                                                                                                      Entropy (8bit):6.5096189037099315
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:sw6kebL1iFn6d6E1oE1LdAAW9ACWHNyb8E9VF6IYinAM+oCvcTE920l:AZbcWus/EpYinAMxCgc
                                                                                                      MD5:19DAA869DFDD8A67F4F7EEE1C955C7D1
                                                                                                      SHA1:3BA0358E9619ED1686A73E8955EBE0C4A61D6EDD
                                                                                                      SHA-256:F2AB144E0B9DA3689BC1AFE5AFD8721BBB523EC01C1299176FB5EB11A4B9FCBA
                                                                                                      SHA-512:0F42E9AF420A8E0A7547E7D172B4E0238698FFEBF65494F1C4C241E90CEEF53F7238A7423A216B8A86366EF16050B5836FDAEC63570BA468BE1CE5973C27DDB5
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0..2..........6P... ...`....... ....................................`..................................O..O....`...............<..P(...........N..T............................................ ............... ..H............text...<0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......x%..d............C..h...DN........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37456
                                                                                                      Entropy (8bit):6.451863278895808
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:gi4PV4eWxaVsQLqyCekI/q/xGljjEpYinAMxCkmg:gaVxa2QXUxajc7Hxpj
                                                                                                      MD5:A2B120986B4BB34F8BFA9ACF877A6581
                                                                                                      SHA1:3E759CE7F93835E8EF7E5F5685A64BBC77FE69A4
                                                                                                      SHA-256:DB4B3ECF1812E0BAF0326A94553049FE9DD613613FF344331A8C4A5BF6D062D8
                                                                                                      SHA-512:74C787EE77B34159ABC3FFD2CFE75B6855D03415F2E7334F5FD5BF20436B6BF10A65F9BB97143B631E3A56EAFD79D214489B3C393D48321E53DE88518CFF070A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..`............... ........... ....................................`..................................~..O....................j..P(...........}..T............................................ ............... ..H............text... _... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H.......@6..p@...........v......@}........................................(....*^.(.......8...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):44624
                                                                                                      Entropy (8bit):6.263023686004545
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:X8+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emqEpYinAMxCm5w:M+cxuPn/bvvE0Q0HCNfBsL7HxLG
                                                                                                      MD5:8F23259BF8157AA26FE2BB5697CDE18F
                                                                                                      SHA1:14E9EA552451E4EA72D77D124FE1330D6F352E26
                                                                                                      SHA-256:836863E3C12887EF2BED748EA63903C47DB9D42FDDAB607CD0BA47981A2F7FD8
                                                                                                      SHA-512:98FE8F297F1834DC09926E1B3E8AE37EAB8DF183F913453A81A779A10DB0FF93E4F3FE895206C857E15A62882C7EC32121D27A33CA3413B645E9E70A3A3F263E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9t............" ..0..z............... ........... ....................................`.....................................O.......................P(..............T............................................ ............... ..H............text....z... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B.......................H........>...M..............H.............................................(....*^.(.......B...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......( ...-..,..*.*.(....,.r...p......%...%...(!...*..("...*.(....,.r...p......%...%...%...(!...*...(#...*.(....,!r...p......%...%...%...%...(!...*....($...*..,&(....,..r...pr...p.(!...(%...*..(&...*.*.(....,.r...p......%...%...(!...*...('...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):82512
                                                                                                      Entropy (8bit):6.280844319966934
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ENLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnB87Hxk:K66fjLb8vH0CiUG4DyneB8S
                                                                                                      MD5:10D7DB14873F7D90062ED05370F74608
                                                                                                      SHA1:E57473D9CAF6417BEEE24AD59226F0DB6D9A2596
                                                                                                      SHA-256:5A6E417DFC3349517D74CB22B220B5EDCF5AA7CAFBF858FE21F49ED0C9FCBF8E
                                                                                                      SHA-512:D74EEB2A584D10E71582B1EA8CFF08C4968333CF620FE60AF61206375BD7CDC498104DEAA0082EFC47FE850D44FBED5031E3C69301CB3C41D3C70CA1805921AE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.............N.... ...@....... ...................................`..................................-..O....@..................P(...`.......,..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-.......H.......pj.............@...0...p,........................................(#...*^.(#......p...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*.~....*.0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r...p......%...%...(&...*...(,...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22096
                                                                                                      Entropy (8bit):6.574986500526706
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:5lfkJv/RYTWl6+MTxMufuMc8CWsbhWVNyb8E9VF6IYinAM+oCUUF:5lcJnRYTwIjJ6mEpYinAMxCd
                                                                                                      MD5:A2E5939939DEC7631230F0CED43CACAB
                                                                                                      SHA1:2946F6E44885EA041D307E6B535D21F4594487FC
                                                                                                      SHA-256:BA54C5630AE9E7994E5489C7DA9A80E4E3C9CC46921BA9EC9B3B625E35011FFB
                                                                                                      SHA-512:0A9130E542F4E127CA3BDD51D64EC75DB8793C66815CBB6FD17B5C8788594C0FD7EC7CD7730DAF84BA275A35DC95F9B56FE73A25189B4C538CDEB289696EA94E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.."..........r@... ...`....... ....................................`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...x ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................S@......H.......T#..............H:..@....>.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):43600
                                                                                                      Entropy (8bit):6.435989681911625
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:uHxWCQ4MPJG3cOeeapdUgsWflN+Qu5cEpYinAMxCT:uHxW58re3pdUqN5u517HxA
                                                                                                      MD5:5B11E661BC8B53F6886776E6C0AF024E
                                                                                                      SHA1:644BCFAD4D5DE8ABB74A692DB728C6EB4EA5DCEB
                                                                                                      SHA-256:2F329F4B16D0F1DFA1CFF2DD699F6B28F30F45F61F6AF8B393CB7A13358B0E20
                                                                                                      SHA-512:EB3F13885303313697B347F330F102A8C6467A3AAC402FE0110993B4B7ABB3FC42387A50933E4B466CEA614C4B0434A9C94A04CB1229691F7E4AC87DCF4AA276
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8..........." ..0..x............... ........... ....................................`.................................g...O.......p...............P(..........X...T............................................ ............... ..H............text....v... ...x.................. ..`.rsrc...p............z..............@..@.reloc..............................@..B........................H........:...P...........................................................(....*^.(.......O...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r...p......%...%...(....*...(%...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):45136
                                                                                                      Entropy (8bit):6.356515470188593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:LlwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJJEpYinAMxC8:LuMUJqLWjRHFtsHqSCgHgUsJy7Hxj
                                                                                                      MD5:EE514D62931BB1B8D2F76597F4B5AAC2
                                                                                                      SHA1:F9052A124653BA28CE8ACB3DFF1DA7E261CEB92D
                                                                                                      SHA-256:6C0F0AA4A3772448A688AB8E086861DE8026E3D8A97EF4A8D513AA9E5535246C
                                                                                                      SHA-512:74CAA313BD77D88CB9EAA5E35E6388B32734E605DBB514130F1FCBE03FF4D7D1D7F9EE884F97975BAF2FE7D76072D9056116FA6BBB59C0786513354B589993EE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.:..........." ..0..~............... ........... ....................................`.....................................O.......H...............P(..............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...H...........................@..@.reloc..............................@..B.......................H........C...O..........H.......8.........................................(....*^.(.......9...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):28752
                                                                                                      Entropy (8bit):6.5663544647348155
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:sfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdWPNyb8E9Vv:owVNz9BF76ejMbmHXRQAEpYinAMxCxu
                                                                                                      MD5:451165A322F6BDFAB22D2640CFEBD88D
                                                                                                      SHA1:E0D874B7FC80611581E745AD721540A3A20C7E1D
                                                                                                      SHA-256:A982218CD6CEDB1DE7D4286C8B4E785F16A59AF06F780A88D250CFC41DA3B941
                                                                                                      SHA-512:227B4D98A758E13AE84453E7FE2B3970D95EE195192DC147B51316F73F5B6CFD68E629DA15A314AECA19084B3A9A080D7E6D4E6D3826D070F7081EA8E8BDC7F4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..>...........]... ...`....... ...............................7....`..................................]..O....`..8............H..P(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...8....`.......@..............@..@.reloc...............F..............@..B.................]......H.......p,.../...................\......................................:.(......}....*..{....*6.(...+(.....*:..(...+(.....*..{....*.0..J.......... ...%... ...(....}.......{....o....o....}.....{....o....,..{....*( ...*...0..?.........(!...}"......}#......}$......}!.....|".....(...+..|"...(#...*F.{....%-.&*($...*..(%...*~r...p.....r...p.....r)..p.....*~r...p.....r...p.....r)..p.....*v.(%.....%-.&r?..ps&...z}....*..{....*"..}....*..{....*"..}....*..{....*~rU..p.....ru..p.....r.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):56400
                                                                                                      Entropy (8bit):6.30490980453766
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:uBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ejEpYinAMxC881:ucfWA2+DjaD/nnba+3uwq09ec7HxS1
                                                                                                      MD5:6A78A125A2E3E232E5CA99DFC52F5BAB
                                                                                                      SHA1:B9926C0419472F8BCC5DD23532E29C1DA34EE17A
                                                                                                      SHA-256:DE00084D93DDC8DF65BF23D70DCE1F9DFAF4277C381EED19E9F96A18D1A77C57
                                                                                                      SHA-512:624873C03967886E4C6A628034B0ED7C7747CCFD32641194F4F5B8827D3555DC28590533B69D03F2597F218CD010E5D70B0CED024736B20ADDC68367346EF494
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................=...O.......................P(..........L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........G..Tu..........................................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):63056
                                                                                                      Entropy (8bit):6.287321950681953
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:J+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDulEh:J+tY8PIiq51wcFnDMsno7jRma+7Hxd
                                                                                                      MD5:55EBC669459FCC49F58F96F9003B9ADB
                                                                                                      SHA1:B00BC54B8BB572A91E6B5449CA7E161244806895
                                                                                                      SHA-256:718EF8C135AEB2C5B248F433758441503CC3F42E70946666608AFF3AEE495DFA
                                                                                                      SHA-512:AF18059F3E3E4304FB877FDF2ED61D53D072BB2B3D8E1EBA0D4B74ACD04108063F7853054BBF97A93850821A543A57FEE02E0252C8AFD409335F916B56D0A2BE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........N.................P...(.........................................(&...*^.(&......J...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*.0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27728
                                                                                                      Entropy (8bit):6.551086012985974
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Y/r0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWBzNyb8E9VF6IYinAM+oCfX:8r0j26i92L6zBU7uEpYinAMxCP
                                                                                                      MD5:234B690507F9FAB8A2AE2DDED1357C17
                                                                                                      SHA1:27B4B381DDA5DB266AC6318B410BF25EA9F8A7F1
                                                                                                      SHA-256:7A4598E103896F4F5CDE4FE1C1A9F2D1535C26F8D1A4F97C9332EF3C40A439D1
                                                                                                      SHA-512:28362763CA8F620217DA4E9ABCE43CCEB0FE952B09AFFD240EF1B8327424FD09E255CEDAFBABF48D0D9691D81A5B07F3BF345947AB5567E41E8F47CE5ADDB9F0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dv2..........." ..0..:..........bX... ...`....... ..............................M.....`..................................X..O....`..L............D..P(...........V..T............................................ ............... ..H............text...h8... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B................AX......H........&..X+...........R..`...xV.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51280
                                                                                                      Entropy (8bit):6.367904513182944
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:fTGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb7SEpYc:fiKIe9JyvSCG2l+NX7Hxheo
                                                                                                      MD5:D024BA9294E580CE20266BE92144CE21
                                                                                                      SHA1:C84A8789B37D8A086FD9750E92F870CC271DBBF2
                                                                                                      SHA-256:207592672324F9B89D88DAA01E18A9501FFDA351908FADFFA1D38FE779594524
                                                                                                      SHA-512:EECE0E3FDDE38170CA8F9B5E154224EA317314B97D8C87E3F501D50C3059F5CD39E0D45272279F523430206219D474E3F8AA4754B23489218DBE007E433DA3C6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0.................. ........... ....................................`.................................1...O.......L...............P(..........0...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................e.......H........C..Hl..........H...h.............................................("...*^.("......X...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*.~....*.0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):19024
                                                                                                      Entropy (8bit):6.636376636323213
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Ev+kBD/v7WJZVMWUBNyb8E9VF6IYinAM+oCCb4RC:EmMbuaEpYinAMxCGIC
                                                                                                      MD5:EC620107577C70EF9A35370ECDC7E48E
                                                                                                      SHA1:D5B1D31BE728865CD2BE805A99899CEBE9FB9543
                                                                                                      SHA-256:149785F6C1069C4AEEDC4B13730BEE3664EB714F44EEDCFA15D097FFACEA5548
                                                                                                      SHA-512:60391DAD37D27D105ED3DB4D8DD5F06BCF2EB69CB06D9026A8C2CF713884C4EF3A9E6C13A5B6669B834963055A5E18B43D94BC4DD10C781F0D4D5A860B4C5409
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+8p..........." ..0.............>4... ...@....... ....................................`..................................3..O....@..(............"..P(...`.......2..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`....... ..............@..B.................4......H.......d!......................d2......................................J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*.0..p.........(....-.*..-.r...ps....z.....o......(....,.*r...p.......(.......,..(....(......%-.&.+.o....( .......{....(....*"..(!...*..s....*.*..(....*.BSJB............v4.0.30319......l...D...#~..........#Strings....x...(...#US.........#GUID.......P...#Blob...........W..........3....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25168
                                                                                                      Entropy (8bit):6.602492244793594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ZzTu6iOUdGgvklNpdOHhvVhZQVW27FW8Nyb8E9VF6IYinAM+oCC/Fi:ZziZOwklFYh4jEpYinAMxCd
                                                                                                      MD5:25085314DBB9591FB8E8069350D1DF4B
                                                                                                      SHA1:31C55CE68D4C2EB2BD7528B5FAA63330E9F7F10D
                                                                                                      SHA-256:4F3913937EC411FF2EBE7AFAF10A2B55F572A6F1763BB3B1320E93540176570B
                                                                                                      SHA-512:4EB7215BDB25D233A069B536A5A7129528F66978E9D2A76F2BFF8DFE9A08A8406B8D4F496E1B1AA0B19E15E4EE5DB308848723180D7081697ABDB1D542BFF0E5
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dn..........." ..0..0...........N... ...`....... ..............................,.....`.................................GN..O....`..`............:..P(..........<M..T............................................ ............... ..H............text........ ...0.................. ..`.rsrc...`....`.......2..............@..@.reloc...............8..............@..B................{N......H........'..$%...................L........................................(....*^.(......./...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..-.r...ps....z.o....(...+(.....*..-.r...ps....z.-.r...ps....z.o.....s!...(...+(.....*..-.r#..ps....z.(....&.o.....(...+&.*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*....0...........(......%-.&r7..ps....z}......%-.&r...ps....z}......}......o

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):33872
                                                                                                      Entropy (8bit):6.563086985369541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:T2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWTNyb8E9VF6IYinAW:5wvh7KxdlW8Jvr5EpYinAMxC2n
                                                                                                      MD5:AE55839BDB2A80A88E423363DE26646B
                                                                                                      SHA1:216B449838A7C2FFD182D1B78BD1FE4DA4E60BDE
                                                                                                      SHA-256:274B5887C6D0CEAAF7CBC6D613FF7D69EFA6314AF7950C75E5F91ABA421A60B0
                                                                                                      SHA-512:AF7EA961214F17A09A27AF932F8528162C876E5D74410AAA6D96BF4F8412EECD6F93DC28F7F657BFC7D92486480AABCC45AD5E35B6EDF61272E6F68F5B40214A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W!..........." ..0..R...........p... ........... ....................................`.................................9p..O....................\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................mp......H......../...>...................n........................................(....*^.(.......E...%...}....*:.(......}....*:.(......}....*:.(......}....*:.( .....}....*.0..+........{....o:......+......o!....o".....X....i2.*:.( .....}....*2.{....o5...*..{....*..0..P........-.r...ps#...z.o$...~....(...+.o$...(...+('....o$...(...+('....o$...(...+('....*..( ...*.~....*.*.(....*.s.........*.~....*..( ...*.*.s.........*..( .....}......(......}......}.......}....*..{....*..{....*"..}...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):45648
                                                                                                      Entropy (8bit):6.394614635924562
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:vX8pDT8XP6hA+wMaLWCzAVLOPnyEpYinAMxCwC:vXiDTaP6hfY1GOPnT7HxRC
                                                                                                      MD5:6543EA508CA44C208A5E7387188069B8
                                                                                                      SHA1:639C57EF6A4248852E799FD6FE085EA3362CB856
                                                                                                      SHA-256:C562A4A38C9FB59873702712D070BC97D10BEAEF5257577CDEC7CB38101B017C
                                                                                                      SHA-512:4F70074085869A750552A51F8F43517688DCF789327F000795F56F87E4A34CFF1AC7D7B1988E09F1E8F67360A1C24166303D5691FEE033A9FF4D81674FC56C99
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+..........." ..0.................. ........... ....................................`.....................................O.......(...............P(.............T............................................ ............... ..H............text....~... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H........=...X.............X...H........................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):23632
                                                                                                      Entropy (8bit):6.6336314644715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:noePm+VIkOdHt6Zx8HignlSZYT9zWzL0WtNyb8E9VF6IYinAM+oCD7P5V:lPzVIko9FD9o3EpYinAMxCnP
                                                                                                      MD5:B04F71ECBEB0CD1FC15679B5F2C83C18
                                                                                                      SHA1:69C7C2D7B66967CD707FF58D7076162BD978AD1F
                                                                                                      SHA-256:019127850A8B5942C77ADA38D80BCCA4ABD739BD78A038DDD0C5A04AB817B092
                                                                                                      SHA-512:24A75E1F6CF53CAEAD02BC9A0E7A73B163B83B111333656F5FB5BF36AA9F93F4B71C24F22B30774D902ED51529361B529775C9F2EBDB75114E95D2E8DD48509F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................Y....`..................................H..O....`...............4..P(..........tG..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......$$..."...................F......................................:.(......}....*..{....*:.(......}....*..{....*..{....*"..}....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..-.r...ps....z.o.....o......(...+&.*...0..V.......s.......}......}.....-.r...ps....z.{....-.r...ps....z........s ...o...+&.o....(...+&.*...0..).......rC..p..(#...-...o$.....+...........(%...*6.~&...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):59984
                                                                                                      Entropy (8bit):6.316388481082354
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:+CD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW3nEpYinAMxCxq:hkB8+94xxBmm6mqaBafouRdiA7Hx/
                                                                                                      MD5:692E60666691AA7C7A3D41B9B84E9671
                                                                                                      SHA1:C16EF8101414C2850C788DD728E2F1134286A4D1
                                                                                                      SHA-256:D73BCD766C323469E4DDAA3E28010CDC1BADBF18DFE9914B0930AE3496E6CF1E
                                                                                                      SHA-512:28CA49180AD5EFD477B957D52786E52A27A732302B0CDE634ADE7AF8A8A9F25DBD06E31245A7EB323308859216650CAFC072BF21CC1DB4FA45BC77B1BF1C0BD0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............N.... ........... ....................... .......>....`.....................................O.......H...............P(..............T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B................-.......H........F.............h.................................................( ...*^.( ......?...%...}....*:.( .....}....*:.( .....}....*:.( .....}....*.~....*.0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r...p......%...%...(#...*..($...*.(....,.r...p......%...%...%...(#...*...(%...*.(....,!r...p......%...%...%...%...(#...*....(&...*..,&(....,..r...pr...p.(#...('...*..((...*.*.(....,.r...p......%...%...(#...*...()...*.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41040
                                                                                                      Entropy (8bit):6.341422324702679
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:zlx+oQSHqk49NI0OP7NWEfDkkuiEk3LViMEpYinAMxCog2:vVQSyI0OP7NxfAkuiEkbwF7Hxf
                                                                                                      MD5:E6187CE82E5FDBB4814DBB4B75DF1A33
                                                                                                      SHA1:CA55691C125C9D8F7E3573A4EBDFCD5C6CD8576C
                                                                                                      SHA-256:B8D387926AF32BA9B40CC21C15B20B7458EACDE96AAD1A10B36365B66CCA184D
                                                                                                      SHA-512:D5C98142E58CAE512FDBCC8D5C4F639D4589FB022C79272E4530816F7D22C7595A93E9DADBD2636351B6DA10D3754DF14368FB5A7AAEA110D63931DB2781E56E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.;..........." ..0..l............... ........... ..............................W1....`....................................O.......l............x..P(.............T............................................ ............... ..H............text... k... ...l.................. ..`.rsrc...l............n..............@..@.reloc...............v..............@..B........................H.......H9...E..........@.......P........................................~....*..0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):697936
                                                                                                      Entropy (8bit):5.963248155050918
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:deos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQJ:d0/POdGV5jfW5VnhFyvOB7jW5JMtP
                                                                                                      MD5:3FC646321E6E41A6F6DB0F6D68CF0838
                                                                                                      SHA1:F2D15576C8BE70F68548CD040978DDD6B4204AA0
                                                                                                      SHA-256:9C850C7B7B45844B125076F3774F81B71A24537B7F187E597C4CE3C6026F913A
                                                                                                      SHA-512:6CBB07C0E3B5D7607F1B4D4A3A4E78164CE3EC48E70935BB60FE5EA1B596814EDACD9491703F0A7D279544E14FC4C00691EE70505B2A758617690C77682ACEBE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..t..........N.... ........... ...............................F....`.....................................O....................~..P(.......... ...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................-.......H........p................................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{Z....3...{Y......(....,...{Y...*..{[.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):285776
                                                                                                      Entropy (8bit):6.198599890196997
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:5MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcym:5MZpj06vUsMjbQ77D++
                                                                                                      MD5:5B74F4D8E9D47BD1F248193AF6100960
                                                                                                      SHA1:25EF85F59695D0D60B4FD0490AD39A6BBFE61DA3
                                                                                                      SHA-256:6BA0EE588B46E3D05A40955576E1D0F2C82EB315D254F1D3F587A9FC51A828EF
                                                                                                      SHA-512:63CA5F2E05A64028E084BA4760250B706836F8AE74A95F9F81262788BF49DD56E56FA371B3792B96C0F073DE45BF85FEA6AB8A67DEF5BD4325D7E9A37CF7E938
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................%....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):38992
                                                                                                      Entropy (8bit):6.295960647161023
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:gdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlo:gxuJRRsnHnyhQupytM9z7O3zfXYvj8rz
                                                                                                      MD5:B4DBAA3533A39B9374EC9A3DF9CFE2D0
                                                                                                      SHA1:38906D9D3FFF7C58CF4D2BC0C2F54A91EDF2CAC2
                                                                                                      SHA-256:73396F9B1AC255E3877835B4A4FA4E00623795040A1C54B14C4D504CA83480C2
                                                                                                      SHA-512:BF1534427C3C94FF19C451E19887852A530FEAC1C285D65AFCA782374558F041CC85EB3F4BC37014809A19E2E4F8643842B9AAC5E92A1DE9C0C613096A6A185F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27728
                                                                                                      Entropy (8bit):6.554466088668113
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:JSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKq:JSCZUl2O1zCnXyzD6EpYinAMxCkT
                                                                                                      MD5:643D074241473A3DA524DCF514C1AE47
                                                                                                      SHA1:7AA5A6CE315CD3DECE4F5A14F92A3C13F99514AB
                                                                                                      SHA-256:5763B143306B3EAF23871C4DE30F726A024A68A395E26C1CD0EA3D873CA6EA03
                                                                                                      SHA-512:6947C00384C518DB1CBA1BA19F65735D01A7DCF96CD2267FCB927164E6392786D7037BDE8C6984193E96A753A874252E22BDC6F5AAA3C75033A79D5356221E64
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ....................................`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):41552
                                                                                                      Entropy (8bit):6.321443170649413
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:VUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCZv:mLrgfPw3mXREaX7Hxwv
                                                                                                      MD5:0433BB0C58BFD97CECEB68FD52A542D7
                                                                                                      SHA1:AD638A6A23C0516285338F5FDA7C1AF3BF0BE4EC
                                                                                                      SHA-256:7E873F261F95AEC61C2C7F6D05768C7306C3DD267128286FA646E2B6DF267CDC
                                                                                                      SHA-512:894526AC0ED29E296D4987F36CDC44D933408E8182C185FF5488355AE3D20C1896EA675BE0D27C58A74156DE3B17E7DD72B88CFBA4A0F9EBFC54FA3E51B21FAA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ...............................d....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138320
                                                                                                      Entropy (8bit):6.160678928460797
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:MobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQK:5bKKz1UeZk/Phv8lDuPai
                                                                                                      MD5:D755ED4DFE2F19DEB11ADE5CE5070F6D
                                                                                                      SHA1:F5A93E6C45004CB49398A54490F831CDAFF4349B
                                                                                                      SHA-256:936E73360824D627B42DD5401F8BC884E2B3B1D8A27267884275EB524CD7D672
                                                                                                      SHA-512:C49ABBDA336276A7DF68BF41355E23A52B6DD24079022A56A98C0B18D50FDF37BD3F469072B3F7903C94F7B7420E2CFCAC5A702D65155E0AA6C8C1AB2886EC1A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`.......k....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52304
                                                                                                      Entropy (8bit):6.150052387080182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:sb1yYPvLtCJY0E+F3xeHwNaleirtqCVlXmL+7NQ1OaY7c4EpYinAMxCODiTdS:sb1yYPL0E+F+8inVlXNP7cB7HxNkS
                                                                                                      MD5:60DCBA37E0501E08289CF911B0153FBE
                                                                                                      SHA1:ADE883B487F4C2B359510E417BEB16E74166FE76
                                                                                                      SHA-256:8C28A5CD3B8FA97CBD2B4C4D269EC409AC2680576B47B1E110BC79DD475514D1
                                                                                                      SHA-512:77EE88BB8D745DB3E6D9FED894B5B3275E353FEC6557663E60188BF4FB764BDECD89CA89950D5223E15446D93EE2DDB181A37DFBBFA182963DD72E23F80E114D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0.............n.... ........... ....................................`.....................................O.......................P(..........,...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........4...h...........................................................~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(....,.r...p......%...%...%...()...*....(0...*.(....,"r...p......%...%...%...%..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):799856
                                                                                                      Entropy (8bit):1.7597847647294211
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:g/r3V645uWOL8/pCuPHnhWgN7acW5RjroUEKup3JdqnajvsKyhr:gx6Yi/uPHRN7y/oU7aJdlrsKK
                                                                                                      MD5:6A205C78D14FA91EFCA3AE531D1FF7E8
                                                                                                      SHA1:9E26E81DFDBA74AE261912993DE875D13BB0891C
                                                                                                      SHA-256:6444DFA03609248EFFD398E8562AF484AD0163A6C47CEE6D3A287FFDEF809AD2
                                                                                                      SHA-512:FD797F528519BD9B864394C2A45AFA5C7F94F58D1F2B55E0017987FB521C9F7292DBE1366BE778E60352FA8F9A08C10B7299AEA39DEEEE3A164BB105857FE7ED
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.$..........." ..0..............(... ...@....... ..............................Ap....`.................................q(..O....@..l...............p$...`......h'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID...,...l...#Blob......................3..................................z...............\.....0...........-.................C.................[.....x...........D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.,...3.H...3.^...3.t...;.....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):132200
                                                                                                      Entropy (8bit):6.172481694612173
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Nw50BNfe5FxLyWnongSwUp+k7bAMZ7cPd:CKNfQxRncgS7bBZ7y
                                                                                                      MD5:2D13C1C8539D6FD7A0717941BF0357AF
                                                                                                      SHA1:0E70EA88A866BAF660950FE74482149456557BDC
                                                                                                      SHA-256:644BB3A1AFBEA6B835422B0987376F04796E38BBBECC08C94023638EEBE57F4C
                                                                                                      SHA-512:A52AE3560B22C354F5CE89358219A7FA2FEAA12B376F72B8B53E6ED5E4B02703777CF1678744E7C038C29616975C0E63DFE17BFCB0A9D53B394452EC17AD979F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.D..........." ..0.............&.... ........... .......................@.......(....`.....................................O.......................h$... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D.......\......................................."..(,...*2.{-...(....*"..(,...*2.{-...(....*"..(,...*2.{-...(....*.~+...*....0..........(+...,..*..(6....o.......&...*.............."....0...........(,......(/...-..,..*.*.(+...,.r...p......%...%...(0...*..(1...*.(+...,.r...p......%...%...%...(0...*...(2...*.(+...,!r...p......%...%...%...%...(0...*....(3...*..,&(+...,..r...pr...p.(0...(4...*..(5...*.*.(+...,.r...p......%...%...(0...*...(6...*.(+...,.r...p

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1966298
                                                                                                      Entropy (8bit):7.9989725851892
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:HELBDnMsmlLa7SwvAQAQI3/ehJQmjJaLbjvQInz96/pU7jy5EFgxivT9rnzvDbOU:kJMJig3/ekmlQjvQQLUNxqrzrmniuxa
                                                                                                      MD5:B110BA42CA8D339B18293AC3F1E94F03
                                                                                                      SHA1:E21AC41D052159076B34823D2653DB0DECDF7F8C
                                                                                                      SHA-256:C860712A06A55CDDDFED7A9F86F0DF36DA1E475B9901148D07D5B02331BA0F77
                                                                                                      SHA-512:D81EFA032F3FF5EDC247440CFF1E911A82230B757C02534209FEAD7ECF630FE5308F9A32A78CC229F175CB447735D539EB61039BFB4FF9F8E77B8DBCCDA2B0BA
                                                                                                      Malicious:false
                                                                                                      Preview:PK........@BrX................Agent.Package.Watchdog/PK........0BrXG...>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.json.6.J.U.,..{..d.....7......#L..I.....L.PB.=...H.^Hnw....tq.!Ym.w.%@'.I.Xa...6|...@.z.V+C...o.Nu...!*..t....4..A...l..$....KX....p..&......?g..*..../.....I..(...U..g.4..BD.......i.J.+:........'..8...n.~j..,.[....Z.@l...t...d......9.X..8e..=..?..`....V>.......@A..D.........~. \:H..9..p.+...\.PGT8......~...AJ....... ..E...X..RJ.9.v.....;.i.#C.._..d.c.z..:....m....5..*...7....Jx...T....b.z..p.0f...8..ya..p6..ns.K,X.t...`{.j.....N..^.....A.....'n....ES...y.8b.....?Cg...}.......mjEg'.!Zs.,..o..3...~,E\........s..\.<.T..("..qMG)7f))X..x..Y..R..........k........z.r..[X..P....w....).k,.[.X[..4.z.)..Cy.e.D{.V|J.u..W..Bk[...<.o.@L.. .....s-.*..)....E].y'.....r....pQl^O..#......S.R.4.].b..E..e.i.:O..g..k...*...4..5...:. .."..y./....U....2......?.\C.....a...COlQ...XE....j..j........X...1...6.o.j.W....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):39359
                                                                                                      Entropy (8bit):5.001117795800814
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Yt5DUarXaaec21v5Oc5/MNXP4RBTEQ88jnfA:YvDUarXaaecC5Oc5/mXP4TTEuA
                                                                                                      MD5:B4CB4604F8C7F02757664874D862DD77
                                                                                                      SHA1:6FDB3AEBCEAAFBCFE21333DA021DCD96F8B78B7B
                                                                                                      SHA-256:54289873BCDBAD889E6304E7E1B21D5973BBDD0E1AA73BD19382CFA23713D1CE
                                                                                                      SHA-512:46C27C62CE35512643EE023630A264BFBE1CA41B18BA44E1659B3AF26C0A44E3ABA73D7B90DB77835A76CEE33035791887B722348AA98CB2C4CC9B32F30CEF01
                                                                                                      Malicious:false
                                                                                                      Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.5": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):35920
                                                                                                      Entropy (8bit):6.456207579215664
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:kj2zXcZGQ2FEagbbE9xEHCC+ud1VEpYinAMxCin:4YCauE9xc+K1O7HxF
                                                                                                      MD5:1E283F1A342729D63266E2DD2C851E2F
                                                                                                      SHA1:47B2551B2F9C3E9E6F2D68E67B1E0D0A539F315E
                                                                                                      SHA-256:98CE24EFC2EF680BFCD5D98E3AC273B148B0828D256ADBA003F57F66E1EC7FC4
                                                                                                      SHA-512:BD84EDA89C91DFEFBAEB6EA952A3BAF2EDBDBCDAB08B5A4437DB2A1F21F82A7BDDBDE9C12C00FEC8CD99FCE75CD945D189EED083BD0AD77DB00353B631DD5D20
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^-............"...0..Z..........2y... ........@.. ...............................r....`..................................x..O....................d..P(...........x............................................... ............... ..H............text...8Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................y......H.......84...D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):159824
                                                                                                      Entropy (8bit):6.224052560324469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:5czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGu0kpNY:5A4NCmBPry/N2jOOHS
                                                                                                      MD5:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                      SHA1:2548A8D4BFE81D194A42A6DF1761AB910DECCBCA
                                                                                                      SHA-256:312755B522A3CB212A2D5E0DF2888699C35DE233A2DC198C37475E2BF414B0A1
                                                                                                      SHA-512:4D3105E7669093DF8364543571D839D0FD573153EED27D82860984797FB30853C3F5FB7707BF97442D4AB71783012FBBB3D9AB1A2D6ACBEA335F06B756FD4796
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@..........................................`.................................................t$...............`..@....H..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):13
                                                                                                      Entropy (8bit):3.7004397181410926
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhUkov:Wtov
                                                                                                      MD5:4F935A094C5DB43100C1C6191F1D2257
                                                                                                      SHA1:D35F739210BF40D4E936975C00BF90F015DA6847
                                                                                                      SHA-256:01AC8D880AA7CB47A4C9475593AC81924D0D51CEB9C3276BA11F5848AFA05FE1
                                                                                                      SHA-512:C60461AE0FE1DF07D67FC55012DCDA8E2615DBCEAA885EE1DB9FB2E4FCF71990730FBFA10300A957D8E1908D1B9FA61A36A665ED63C934E07958DC73606C5AF3
                                                                                                      Malicious:false
                                                                                                      Preview:version=1.5..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):253
                                                                                                      Entropy (8bit):4.585549446641918
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                      MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                      SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                      SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                      SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                      Malicious:false
                                                                                                      Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):53840
                                                                                                      Entropy (8bit):6.300468155319662
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:4dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqt9EpYinAMxCQr:4d2P/phL4L8KGo9sgqt27Hxb
                                                                                                      MD5:355567F26142F9101526CB91F98FB03D
                                                                                                      SHA1:B7D5B6C9D78A4C7F4775F79F68B640D2E90DF1E0
                                                                                                      SHA-256:6D81FB3829261543D93FF02BF239BD25A39E41DCB645381F0A8C9D53E8694A68
                                                                                                      SHA-512:C72ADB068410D53C085BC5DEA0CADB6D2C55603566923C12547CA2D897D1F238F706BD1F7A046E97A8A21C95DB4B97EE70A32BD559437508B65887686CDBE6A3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ..............................B.....`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):66640
                                                                                                      Entropy (8bit):6.273913453163328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:PO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5fEpYinAMxCIiO:xQTIywi3eobgTG/2u2/wb0u5Y7HxwO
                                                                                                      MD5:90916CE0E528B775C1179E96F86CA200
                                                                                                      SHA1:6F64812C50EC9E6672CB088903F913168F35430A
                                                                                                      SHA-256:BB828056E376EF41E40F212FB6AD2990227CBCF821D4835263180C4768795249
                                                                                                      SHA-512:EB027447FB79E3E0A397EF173205596C8DFA936C9CB0F88B9A27ADFBB0F3E1B4E28F18FC907F3BFF2C4A39BB03B8131A5998E90F2BA60E4F522B7BF36D1C18BD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......)T....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):186448
                                                                                                      Entropy (8bit):6.958336672022744
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:ChOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mkmBC:ChJ177+9jQAVph4sUDfAbm1F8MC
                                                                                                      MD5:6DDA20C58ED67382D0B5D7A17FAF6A4A
                                                                                                      SHA1:5C39B32EDAA98E70BF01DACE2C59D6EC304F8DD1
                                                                                                      SHA-256:43EFFADADAA2FD01EE7DB52BFEC67F9A1E9E2F8FC276B4EC244BB24B854315BB
                                                                                                      SHA-512:8984AFB415FC19ABB4358455DE47FD4FB3EE75F005772AF4204508F1DB47B21E93EAAC7410FB5001BC59F922A5489599FAFCBF589B6DCBD891C9686C8BF46B71
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... .......:....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):29264
                                                                                                      Entropy (8bit):6.524120604887875
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:9+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWsaaNyb8E9VF6IYinAM+R:9+EF/CvyKohrqnDEpYinAMxCtz
                                                                                                      MD5:8A86E5FF5D774C00992E276CFACECF80
                                                                                                      SHA1:F19FD07AE29B32579E75A0E4E738EF878835A037
                                                                                                      SHA-256:BB6667D93A1258A76DF2C007083A1E7CC000BB5BEA3195544EAC733C6259A540
                                                                                                      SHA-512:B35960BB4908F05602D375AD24316E293B05FEC90A6E366D32F3CA7CA37BDBE0158F572EAA7BB8C6C387691DAA2AE213258603E4658BA99767FDC0D9BE4E5972
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................d....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):42576
                                                                                                      Entropy (8bit):6.408969180714612
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:uThLeDjUB16TI1CQ12cMcFgL/l5d4EpYinAMxCB:uTvB71dEcME45dB7Hxy
                                                                                                      MD5:071B50004B2ABE329A964ECD09A7E896
                                                                                                      SHA1:08D2A3056856235113C43CA3FA27D47C759F7EB6
                                                                                                      SHA-256:E8C446C1ACC2E0BC2DC9A80E286456B9A84B5DB5B1D4101C612BBFBD331EE0A9
                                                                                                      SHA-512:6608AA59D25BB19F7B34717083C8BD60CFAFD299D982445BC491C12E265C9BDFE92A23CCE45074583184C6F2A128CD2646EF05DF59FC82C7B5CF4D8F3046E19E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ....................................`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25168
                                                                                                      Entropy (8bit):6.670940956884048
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:wYEMITBweJkneGO3WKGW9anWsVNyb8E9VF6IYinAM+oCOScXu:2TBwa7dEtxEpYinAMxC+u
                                                                                                      MD5:D950E5EC874F7C62306B93500FD36BBA
                                                                                                      SHA1:530F5F348CE9B50C396629A16F6F815F2495722F
                                                                                                      SHA-256:416CCF9CDAB49BB9DC2B4259E0D5B4434540AC82C1BC166F85D3CBD9F8942D4D
                                                                                                      SHA-512:B374D9A55A99603CD623D0876CEB8235FC235A09C8DA9BD0FEF9AFB2EA11574811E9073AFAF6DB56697AA3E75546BC61F029384404544D0299046EF239406E96
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ....................................`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):21584
                                                                                                      Entropy (8bit):6.717352450932083
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:N6jxRm3soGTeZeszQm31WUKeWsJNyb8E9VF6IYinAM+oCen75ikD:Mj23spTeZposNEpYinAMxC7kD
                                                                                                      MD5:C2177320BC76C026D8C554D8CFEC1F2F
                                                                                                      SHA1:A208DC6AE7A5FE8FBAF5F5FDAC980B0360A667EC
                                                                                                      SHA-256:F971952E34D3BFA8263D8B5FD7F4F251B9D8C969E3EC2325AF0A3BFFD43DC946
                                                                                                      SHA-512:39A7258DF35A89A6A9B68220CA0AD159839739F8EC6DF987EE7C53CEBC2B55C44A3FD81718F620B45B14EB6AF2075A1AD5DDFA895CF34B71A0947B1BEF7CE389
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ............................... ....`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):28240
                                                                                                      Entropy (8bit):6.602224449204335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:pzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WstNyb8E9VF6IYinAM+ox:5xk1/9jtGhScRwPpByoJEpYinAMxC8LX
                                                                                                      MD5:A9BB401E3DE7FB6FC038DC6BDC27591B
                                                                                                      SHA1:CB1CC3D6E4A603C1B25350D5E5581193A80D3D9C
                                                                                                      SHA-256:1B15C473C30E52A08ABDA9FFF9099E5A51EB8DB5733A7EFA29FCCEA2C17BDB6A
                                                                                                      SHA-512:EB5C0910134420FB6717039FD95CC819C24FA0F3288A83DD43363CFD902D3FD39686B3E0D74D29B0604DD771D7215DFF2EE39713D49A760E2113B86CF98BBAAC
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ....................................`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27728
                                                                                                      Entropy (8bit):6.567134242779113
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:SXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsCNyb8E9VF6IYinAM+oCltvGw:mLAux7yUcT7jF6aYhSkCEpYinAMxCv
                                                                                                      MD5:97C4011B8FC681C68FC0D9A0AFE05134
                                                                                                      SHA1:E3C5A7264874ADAF421303D679637C35DC3A1EBB
                                                                                                      SHA-256:B9FA3DFD672088A280B1B6AFB38E9539B195B85D8351F6753D064D10F23A8617
                                                                                                      SHA-512:70CA32792A0FB2325BC511FA1A298D1D03AA7D8E72B6F1F05443C0FE2D8B01521A745F4F1C8D7CE1FC27E6AEE112E8C499B2FF79C885BADC774EDD942C732906
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26192
                                                                                                      Entropy (8bit):6.549189808431148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:pMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWs7Nyb8E9VF6IYinAM+oCUYO39:pKnbPplTv9uuLuVwXEpYinAMxCq39
                                                                                                      MD5:7D44B25B42F8273E1B95DB0D73671E84
                                                                                                      SHA1:265714D11A304A27443F9DBAFB33A2987C5AF845
                                                                                                      SHA-256:823154871F155DDCCB8DBE9DCC3078263A6C296D32524564E90B106930992987
                                                                                                      SHA-512:563E7DB622C13C19BA81E5C123C812A8FBEB4D50C6BB2A1686C728180A26CC246D369B1BB5B8536D28A2105CA9D8DA7C8108AE3EBE302CC180EF29BFA5C8B3A2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ..............................~.....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41040
                                                                                                      Entropy (8bit):6.41098819814607
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:e054t3ibki5TCk3jqEr0WBum6JEpYinAMxCmd:ePtnUj/Lkmp7HxZd
                                                                                                      MD5:CA14EEE1F7605296B50D9471B3846A1A
                                                                                                      SHA1:E26129A1044FA6A4A85A8890D3569C3900E338D2
                                                                                                      SHA-256:F7CAB383114EDE19662B14EFADEAD8E76FE59954DE5464BA64E270587D738206
                                                                                                      SHA-512:8EF77602DD6D4F86E3607A287F8E07567B216D73FA442FD7B9165B1087D2712817FAB690107EC23929EB519560CFAC897FE6C794B941A6E69CEE6D3CF661DE63
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ...............................B....`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):45136
                                                                                                      Entropy (8bit):6.259777287029036
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Kq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPAEpYinAMxCsi+x:Kq+SSkNNjdQc+cJNh7HxJiy
                                                                                                      MD5:0E56D17A0B873639366047CE26A5E063
                                                                                                      SHA1:491A1C758D27BBA08ACF9CFC87468988545835F0
                                                                                                      SHA-256:559CDE153D2C725745796BE20B7FE5C197DBAFBFBC3A2D4C44CC025DD75AF8ED
                                                                                                      SHA-512:A026E4CA433846D0DC3FB53826770DB45C8D765B1705D6C0DF45991440809AF2134F8608E2E0DCABBBD539049E72DA701F2951337B6CFB3ADDE43A72A739A578
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):85072
                                                                                                      Entropy (8bit):6.2673588925221
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:nNNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJz7Hxfp:nMCsvGPPed5ZfjQ+rBvJzFp
                                                                                                      MD5:68E188489CD2966EF4B9E8864B5236ED
                                                                                                      SHA1:23A5FEA5C4787804CF140741AA35F7CC55229977
                                                                                                      SHA-256:97BA41B72AE55EA3FC47A6D48769638F608F8AD498A0A81E4780C42C45F34BC5
                                                                                                      SHA-512:C14EACFA5ACCAFE998FD55868A91FAFDB3A23031A6DBECCCD76ADAE1E4F43C414C6C3AEBA4D4F4FEF04E0FCA8CB6B7F08017937E353522775924F1992377235A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ....................................`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):23632
                                                                                                      Entropy (8bit):6.618432341469682
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:OVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWso4Nyb8E9VF6IYinAM+oCqJ2qui:O3m0SM3Tt90Pl7fEpYinAMxCa3x
                                                                                                      MD5:AC95850E08238CF3A6FFC51D47BCC1DB
                                                                                                      SHA1:06CC0E13887DC0030A0DFFE067E01BE77D75CF4B
                                                                                                      SHA-256:B788F714E91102C2D34FF5E20A07F7408E9EF74343871942E5889612EBBE70A5
                                                                                                      SHA-512:58B35DA53926365A3502BCDE514E34C3159EC5DF7672527C884FF5057FF1089F0124EE79F66EA79E6004DF4CD14805C4495C43AC0C38AA07851303F3FAFADF15
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... ....................................`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):45136
                                                                                                      Entropy (8bit):6.430057016218873
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:FxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYinAMxCMe:FNxxAYFeMpdURZEu3S+7HxZe
                                                                                                      MD5:123D79B76609A0E1B4E7977FF4283822
                                                                                                      SHA1:E4F25CDDCF76FFB2569D22D2090D32B33A98512B
                                                                                                      SHA-256:871B2C2230BF4079699D34AFD6A262B7FF362431D7B2A0F4C3539A6F7D1C267C
                                                                                                      SHA-512:C4EF8889F3DED86FBDE77EFB0A017B14F6888984F0F9A7B12FCC6CD782816B78878B0F853EF2BCF0A18F6C7966D8E495B62CF11B8EBDDBA94440FFA2F2A51AF6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ..............................k.....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):47184
                                                                                                      Entropy (8bit):6.373451878905772
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:ekfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFKEpYinAMxCz:LEkMoRxtzIk3ygv/Mp7Hxw
                                                                                                      MD5:83CBC69E9A528F906F2EB5B9528FA378
                                                                                                      SHA1:0638CA4EB918BD9A7D68C5731D831B57E5D48019
                                                                                                      SHA-256:5F7223586AE47F001319524B3A9BC4B635A0D44870733D46FF1BFF780485C4C2
                                                                                                      SHA-512:DD817FBDA24F1DC42C83C44D8A301123D5751895F5C542FDF3CF82CA1459B7728D897C3B3C5F1E1915282B7B4968F93ECB6D0DB4ECF80E79093C4F2B47B9420B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................y....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):33872
                                                                                                      Entropy (8bit):6.465515280994496
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Tup+kjcS4GAF7ItpTYbg8lAZnsboXAEpYinAMxCnpD:Ti+YoF7Itmbg82sboZ7HxS
                                                                                                      MD5:B4B6928B6ABD9BA62549019FC1B6FF19
                                                                                                      SHA1:AFD5DEB02D315D70867335839BA2208DCDD94D88
                                                                                                      SHA-256:03BCCF47620E2795ACDF4519C3E21E2C9009908A7B4CF39312DF8560CD3B4815
                                                                                                      SHA-512:219472590F21237FBBC3F6F31D4C1320E356C5C13DA41AB0B538A2E9F0788B59E4E847E52177719F90B90BCDF496E21CA5A894E019C5BFF923AEFD1774E07ADF
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ..............................r.....`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):66640
                                                                                                      Entropy (8bit):6.302989427949227
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:syK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+n7Hxu:sykl8tla/nbr1kiBx3nI
                                                                                                      MD5:3FCB549ECB9D84B10FEF1727AB043DF0
                                                                                                      SHA1:BDA06DB4121EC85DDF7F2259D92CFB90C0C18734
                                                                                                      SHA-256:AA96A108023C9FE0A430AAE727F8C8D296B72D781A49E14C73BF5FF33EC792D0
                                                                                                      SHA-512:5BBC0A63ACC4D4E3264234D472DD6EE5ABCFB762240B2B868DC344530AA520979C06B02A1BAAF43CD3B293EF3D1F8FDE7341E0413A4A9436473DBE3BF3E4A462
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......3.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):69712
                                                                                                      Entropy (8bit):6.226077670195515
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:VsDE/e+9cxoZhNyjcMiJSAopUx+ZA7Hx0:GDE2HozNyjcf4o2Am
                                                                                                      MD5:3CE2B431D7D349BABEE6937AD0851309
                                                                                                      SHA1:55FF7B9337EAE6B278756C8FCB8C021E04A1AEFD
                                                                                                      SHA-256:10E29D6B33B40B7D82298E40A19AC06362B1A51BA5C94C3A7359F5462EB22697
                                                                                                      SHA-512:07857ACE3128BFB698EF44524451F6E07596EF48F39F8806428473CABC0C71C2348601519BCC6A58237C919F0E1212021525544C8F8A15CCAAC4912ECEFCDF70
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@............`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64080
                                                                                                      Entropy (8bit):6.289710606184699
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:M5PhAi33m3UOZsd4IZnuQDLtfjfC67Hxx:gPhAi33mhZiHlvtbfC6P
                                                                                                      MD5:31CD265714D3C3120210364A14DD572D
                                                                                                      SHA1:C5F8727A6E42429D2CF37B59B8A523844964C623
                                                                                                      SHA-256:8FD8996D02C0A89E548069CF924B4E94250C5B4D11261E6D327657F9717E33B6
                                                                                                      SHA-512:9B238628C89D4F72638DDDEF2FBB1155DA7917A56BBF749B96855822802ABAA4B76FE003721E17560E802A1B3478A49A3DE7C02F6F45B8DA54028203DB97D511
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):28240
                                                                                                      Entropy (8bit):6.542681843112789
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:31YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsjNyb8E9VF6IYinAMh:l4jUv6iT9jsi8HyeU7L/EpYinAMxClNQ
                                                                                                      MD5:5D53FBFB6C56DAB2AFC15E814956483B
                                                                                                      SHA1:927D7F1B9D0493FAE2C900B73734E5A323ADDED6
                                                                                                      SHA-256:23EE1A91AED2309099858E2E11EC499AD3AD4532E70E0B095DF2CFA118BAA85C
                                                                                                      SHA-512:0B775138E8653240D7DD888F6CBE4EFAA9BD7762887D3C9D64F4FC180F41703D8286DEE63B2D09314E8CB98B319C5FB2C9DD1739CE3F207AFA1AD9C3331F29F6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ....................................`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):59472
                                                                                                      Entropy (8bit):6.334054400696551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:t7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7EFEpYinAMxC6z:xJ4V26g1YuuP/2IOe/7Hxp
                                                                                                      MD5:5C0ECE8A6364AD65C5D01B762D721F40
                                                                                                      SHA1:2CEF9284C94A608269D581A4588E81E485378F3E
                                                                                                      SHA-256:A5B60A7BAAA84EA94FEF8704737B6845823A2C1DA0B9F95240CFC61C341FA2FB
                                                                                                      SHA-512:E327BF974B9E909C147E67643A7A972F11C2BC3466B622A2286C3E9C0AF003E333A392090314D850DFFB60CE35B05441C8373D9EADEAB4EFFADC9032F2B98566
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ......#X....`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):21072
                                                                                                      Entropy (8bit):6.659500044238884
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:UzhlvlfTcbY3SCkWJOVMWs4Nyb8E9VF6IYinAM+oC2aJ8f09:KrfTcbY+uwEpYinAMxCTY2
                                                                                                      MD5:DE75610B9B79DB4EE9FF93D756E16D4D
                                                                                                      SHA1:2B3BBC1AF7191893FC42A450280ECAD9A5C68FE4
                                                                                                      SHA-256:4C036AF950DA497F34F9E325F84A5502DE8AB373559FEE971DACA0AA6C791248
                                                                                                      SHA-512:B9CBE72BCA53564FF77C8B02598190966290DF010902114CB7FF91E6831F87B8833984AA2F2E42F9870A28919A32C9C4B4A7A14901E36272F4EA1029C9C06A65
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ..............................[U....`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26192
                                                                                                      Entropy (8bit):6.6410774484512896
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:T3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWs/GNyb8E9VF6IYinAM+oCUo0eD05:T3hQsE/8irTnfYFr//OEpYinAMxC1ny
                                                                                                      MD5:F07B5825DE2EFB3133BBF61FA2A4CB76
                                                                                                      SHA1:B6CC2BE8845C0774E932B2DB1FBCAF788BFBEA9C
                                                                                                      SHA-256:A4EEE595F17C9F26EB0DC6694580DD5873938DEF495C524EFFB0D82BC3F4262B
                                                                                                      SHA-512:F24E824FE41280C9BC170D9DD1016EFC236650E7762EB115DE02B9593BDBD1649FDE1FCF9B7D387C533AA6BF9651B5AF701ABDD10D2D4B1BB072EBAB1B594DF4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ...................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):35408
                                                                                                      Entropy (8bit):6.577511960397023
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:6oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWspNyb8E9V3:KDhbJ5nR02TQCWoJ92tEpYinAMxCtm
                                                                                                      MD5:6628C561065DF3B10639846B7F7DC3C3
                                                                                                      SHA1:ACBE77E78C99E86866870874A2311DCF4902BAA5
                                                                                                      SHA-256:9996C340E4E83C44110028CB28F20E9B24EB126742409FA718F90EA2A16379B2
                                                                                                      SHA-512:DB9BC520D226A1E702DAFB2F2F6E0064984854844AE214F52BAB27E9A8B39F9A5AAFF9BE87BE79FA4C5E4B9D134098AE0B72C424D09E057D1B02A75E79C9F810
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):48208
                                                                                                      Entropy (8bit):6.412254540457386
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:q7d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxlEpYinAMxCp7VCb:q7d42LfKy3SKKKKr8keqBdd0UFE7Hx0a
                                                                                                      MD5:02D75B740B732B9D45BE1C9DEEE82D52
                                                                                                      SHA1:145DE3697B7BCCF7F39EF5C1B813F9A213664017
                                                                                                      SHA-256:D56BEB31BC6BCF54AE02721D3CE2B6F42D7783483B67DB2B11E5C56E8A29EC38
                                                                                                      SHA-512:0E6041D18D62FFBBE4B9906931322F5B3856C462A330922C6264CE99E983811CF139AA52A9C10618AE8035B85B929CBAA3F0DF6FF12D29B9E269E9945C1EB232
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ....................................`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24144
                                                                                                      Entropy (8bit):6.63064410442664
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:by1x30dJaeTP8pBT7xe3SUDtzWzK0WswNyb8E9VF6IYinAM+oC61mx4iw:bq/eTeABdWIEpYinAMxCa24x
                                                                                                      MD5:D73F1C9FDCAA14AA98AD1D62EB4F61E8
                                                                                                      SHA1:25180ED081DBAB955DB2E321A42820313FCAC737
                                                                                                      SHA-256:5AB6AF65EAAA7BD38B13C2E0A184D241530FD113B6DB218AD6D138A1DCA327E2
                                                                                                      SHA-512:35E80F9F724BE46786ABDCC77BA6C4E1065A41F4213ED1B8D25B37C6CF61B7706A5F9AA87A1C5A74C96BC3D2454968541C424D6D1D4B15A64867191A190CFFB4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................I(....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61520
                                                                                                      Entropy (8bit):6.349315131405323
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:1g+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4vEpYinAMxCkMq:1g+uGuV+1mbaqvy9OfLKMS4I7Hx8q
                                                                                                      MD5:64A1C30750E208D114638514140D2FD8
                                                                                                      SHA1:98F1BFAE55DE97059C7BC6A53FC6F8254C6A9EB7
                                                                                                      SHA-256:E329AF9E6DA9753A31B9908BD6F4655C646C20C088589AF9477515D37F73190B
                                                                                                      SHA-512:450FEF2F9C1712CAF22502C9906582EC6DB6D8F6675CFDC78D96BAFF5154675CF52B4A278306FCAD4A231C7E266B8F7690A6FBE23A8DD9455AE0B8FCEDC5505B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ............`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):42576
                                                                                                      Entropy (8bit):6.373492302570736
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:TKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw/EpYinAMxC2xD:bd8hMfHuXbIkOP7ym3jZ/uiCRgrd7HxF
                                                                                                      MD5:25CEB30BC69DC05B69F45F672AC1C1A4
                                                                                                      SHA1:63A1CC9B52CD8995EA1C17794D2F75E6F5E0B6E9
                                                                                                      SHA-256:EA390CC64028A77BA72653504499E9C0B131770DABD23D9E4AC099677B35315F
                                                                                                      SHA-512:0D6780C9B883D555BBDC25E08FAE14EBA3583484B1BBD366188CD9350EECD81B4A3433054872F81EC6B361EA794BC2A217F1A92D4ADE9A83182F7F2B4B9DEF9A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):345168
                                                                                                      Entropy (8bit):6.142154867122924
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:1pc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weI:MpTCqAn+fnw5h9hdls+IZTWcd
                                                                                                      MD5:E20A8D1854150A56856901090B816B6C
                                                                                                      SHA1:1F2C25FD9435D137ECEB81B2A74FEE6CBCEAD01A
                                                                                                      SHA-256:6D3F41537D09414352E42874430E3D44A8508F6FE843E52F124DBC279E76ECDD
                                                                                                      SHA-512:747A5B2C315E26558F99436B463DD766AD0E99F527A7836055CF5898FD7BE649ED8AC5613148D80F39AF068C2F556463CAE9A242939948F110A8A517E705B3A7
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710736
                                                                                                      Entropy (8bit):5.954282787995899
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:/FIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMQ:9zMTMNNd+g5Wk78GBBjgrIQtDX
                                                                                                      MD5:35FF6C65698485C13B0796ACA1E1E860
                                                                                                      SHA1:64C4DBCBFB0C81F34E3E8C5552A9B6626C740F50
                                                                                                      SHA-256:683039C3676D8437E99C0A98FB8D4C4D2D47258DAECD897F1532640B2FA82407
                                                                                                      SHA-512:E21CFF5489A6D141CE72D4639F5BCB23F18155EBD64347BD179146D53D4E99285D39E3A1B9483C697D73925B76E56E2AEAE5F63D3BB5C8E9C5B65BCC826F78BB
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):285776
                                                                                                      Entropy (8bit):6.198879246365342
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:QMiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcyZ:QMZpj06vUsMjbQ77D+B
                                                                                                      MD5:40F70FD9AA352F6954C048396533A13F
                                                                                                      SHA1:B5CACB14C795B8F03CA62A2FABA9032FAA5C5A62
                                                                                                      SHA-256:135C5B3FC4A3307FB373D466D8E0993F5899AD725AA3A04433D4CB22E205A1D0
                                                                                                      SHA-512:6AD391AD6603C4CA8A168B31968FD9DCC467D23E38A93FD616F5DF38F00A0B4152E6AA9166C37D63D96C32FEAE01DC15709F7E7F2BE37CEE3CA18F063B69EE02
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................T....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):38992
                                                                                                      Entropy (8bit):6.2961633461406645
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:vdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlc:vxuJRRsnHnyhQupytM9z7O3zfXYvj8rb
                                                                                                      MD5:318DB17FA7B98E18B6C3A6A139341D51
                                                                                                      SHA1:CF98D3D9E98D198D8E30D221EF9ADA5441A88B5E
                                                                                                      SHA-256:4D3114B2CF333C56CFAB3CD9CA3C0C16571D337B7E5EBFE72BCDA5C6BCE49E6A
                                                                                                      SHA-512:8CD7EE526136FDD48AA900193F2A3A9B0B371569D5ECD21ADF1E57A88DF275579C2C42FEC9B48549C505A605FED016696377FB5B80261EBF36706F818F9C0232
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27728
                                                                                                      Entropy (8bit):6.552984475987511
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:iSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKL:iSCZUl2O1zCnXyzD6EpYinAMxCk/kp
                                                                                                      MD5:DB2C92A173A2A0373A1F8190E95FA17F
                                                                                                      SHA1:FE61CB7B6B8E90E438F17A58775F3A70235744CA
                                                                                                      SHA-256:DD3547F40D823D6B0462C9C11CFAEDF306E01782BF28AEA9B0C31DF6812D7E81
                                                                                                      SHA-512:66BE8021026769C4509577F77650DD4D20C50EBDC6111342AB91A0C590118E5288B5524E6AF104B1505602231B3B14830E318563FA83F1F1D13C9F06CDEAE86D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ..............................e&....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41552
                                                                                                      Entropy (8bit):6.321380010408937
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:MUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCD:jLrgfPw3mXREaX7Hxc
                                                                                                      MD5:680AFEE0D0AE8CBE3C14E8B2E98331A0
                                                                                                      SHA1:A4536CA35F55179DCFAF8507D8BED284F8A87285
                                                                                                      SHA-256:9BECD7633640CCA28369CE850BE2F2EB7F3D41B32289D7E4D99FD53E014844F5
                                                                                                      SHA-512:586B4D5AB7274E0BBD26CA7B6A08A39D83CCA6B134523342094F0159E42873AF987908DAF52B7947402288E7C399C78EB63658C3591C708A24B7270936B16F5C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ..............................5|....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138320
                                                                                                      Entropy (8bit):6.160416546932122
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:cobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQn:JbKKz1UeZk/Phv8lDuPaf
                                                                                                      MD5:347415351ACC3FA1BB4B12FE70D8DB3E
                                                                                                      SHA1:CD659D48CA294880D2A950521869E3629B680873
                                                                                                      SHA-256:72A60990CB728C500FEDB1A6BC89D8EDF4661C89FBE3B899A7D8B2674C59CA1C
                                                                                                      SHA-512:CB8EE748F5604EB81299B48B8C0225B1C9FB557472112CB576304E6A52BDF4343BF28F1169E4B60C60357D26910004012D136997C165E226E1B5FECDC397F878
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......j.....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):150096
                                                                                                      Entropy (8bit):6.238069789487319
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:c0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krvm:v07iSqSnkMDjyC
                                                                                                      MD5:06740FA9E73A184DCEF81A0F9964BC0B
                                                                                                      SHA1:E0D18EFACEE6AA0431EFBA2ABD4F0BB34E47BB41
                                                                                                      SHA-256:91A4499366A332F2EA2EAAF8CCB1B67582553E8ADF067DE6D3FDC4D8B4389071
                                                                                                      SHA-512:B021F4ACDF88EB321981278F8F38D385D200227C975C3A289B2D1BB2D948C5336B78196119B07CCE8C6312926F9F1DE07CB5D0A8D4ADF979C664C8B8A25CB805
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ...................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52816
                                                                                                      Entropy (8bit):6.18197692498772
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:NtgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlfEpYinAMxCr:NiprEfsOuD0hhji6DrLbAY7Hxk
                                                                                                      MD5:161E234AD2B220206DB6341B670DBD06
                                                                                                      SHA1:B5EAA6BE5BE77227139F2298312A406EC959ADBD
                                                                                                      SHA-256:DF6ABCE21AEDCF0106303877C88F0039C52BB5C5B98B537D9C079874965E9875
                                                                                                      SHA-512:4999FC5AE69EF904460794C33D9E5642ED2E47A4104C6DC3CF958DC524159F59D3335547BCA5EFB182D87773124BC6E35C524B2488CE0EEBA351BE5FAF3DC5C4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ...............................s....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):34896
                                                                                                      Entropy (8bit):6.290935546349103
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:K3wGplLcGsTK/lWNVz7MW+N92D1NlteVXEpYinAMxCwU:K3wMZ1lWL7MW+N0peVQ7HxRU
                                                                                                      MD5:7D9DF905042D334B4A966BD1AA8FB08B
                                                                                                      SHA1:3ECC8AD781DB2F3A01C09993BE7D31A878AF4105
                                                                                                      SHA-256:7C6F7FF7350CDAD1F7025CB1B0FFADBCA99F801C7D0B9C2F11F5A9AE2F2E53A7
                                                                                                      SHA-512:BF17D7A918469726B0325AE2BB35C00D1D5BF3BDA73FDF0397A432F271630A4CCEC2B4A30A677697F1E34AAE81D8FB37A076581C8B78C35B28141AE5ABFEE53D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............" ..0..T..........6r... ........... ..............................V.....`..................................q..O....... ............`..P(...........p..T............................................ ............... ..H............text...<R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............^..............@..B.................r......H........(..h6..........$_..8...\p........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):71248
                                                                                                      Entropy (8bit):6.13173802618335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:pQuedlunqpC9yYxC9P7tt08eeykGlsESo3+7Hxr:g3KICHxC9ZJexRsG3+x
                                                                                                      MD5:F85B82A5B08CCAA5359DF86C5A7EAF68
                                                                                                      SHA1:6CA8520D247CF38F1D885B987B77892CC94397F6
                                                                                                      SHA-256:EF4402FA640506310B85D639DFB2848DBA25DC9AFA331088F8EFB7F0877EE8C8
                                                                                                      SHA-512:ADAD4A9E3BC20726986FBA733EA1C2A3490E1C15A92E339A4E0F187EBF0BABFB598F02CEFBB9F54A50343150E365F0D47B31A06054864D8C48ECD5F58445E31A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n..........."!..0.................. ........@.. .......................`...........`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............w...........d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):543312
                                                                                                      Entropy (8bit):5.987161302939433
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:a6+HbUMHVgQO61+5ZpvsQ60OghEusa4UQgce0x7KjF76pkLzLFEnJEIfibgPKiU5:a6aRgsgfEU4UDcxkLzJEBsgPKiUYFHsv
                                                                                                      MD5:76B3958BBDDF8E1A58B08581EB4B5CC2
                                                                                                      SHA1:B51FFBD175BF70D20C4184FEF53764966DAB2393
                                                                                                      SHA-256:0C13A1B28BAFB47ADB5D8B9E86923116258CB4E4CCB3C84310B360D4D004C145
                                                                                                      SHA-512:7B43FA7B09C19B01E96B94028EF9EBE4CF44339437A517011702239BA247189F0D3EE8449E6913F82A41E86BA7E80CDFC9ADA9E7DE5423A38F0DBC434725588E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............."!..0..............3... ........@.. ..............................%.....`.................................h3..S....@..............."..P(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H...........s...........C...w..H.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..&........(.......(..../.(........(....G* ....*...0..@.......(.....3'..0Yn.!.~...~...i.?_b...@jY..._.j2..*.*.(.... .........*B..... ....s....*.~....*.0..........(....,..*..(.....o.......&...*...................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9728
                                                                                                      Entropy (8bit):4.560006548424685
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                      MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                      SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                      SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                      SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10240
                                                                                                      Entropy (8bit):4.43329064965383
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                      MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                      SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                      SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                      SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10240
                                                                                                      Entropy (8bit):4.581775279455886
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                      MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                      SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                      SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                      SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10240
                                                                                                      Entropy (8bit):4.368843686720491
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                      MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                      SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                      SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                      SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10240
                                                                                                      Entropy (8bit):4.593201257102684
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                      MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                      SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                      SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                      SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10752
                                                                                                      Entropy (8bit):4.84740063117937
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                      MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                      SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                      SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                      SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):71312
                                                                                                      Entropy (8bit):6.106692533939604
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                      MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                      SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                      SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                      SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801048
                                                                                                      Entropy (8bit):1.7800450887072108
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                      MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                      SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                      SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                      SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):159904
                                                                                                      Entropy (8bit):6.097873216527841
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                      MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                      SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                      SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                      SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):86816
                                                                                                      Entropy (8bit):6.013720216920584
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                      MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                      SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                      SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                      SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9728
                                                                                                      Entropy (8bit):4.709151479489131
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                      MD5:90289DA899746E328816734D723C93A0
                                                                                                      SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                      SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                      SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9728
                                                                                                      Entropy (8bit):4.7267524338984295
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                      MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                      SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                      SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                      SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1152141
                                                                                                      Entropy (8bit):7.9996934105504405
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                      MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                      SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                      SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                      SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52272
                                                                                                      Entropy (8bit):6.139785828189609
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                      MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                      SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                      SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                      SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1782
                                                                                                      Entropy (8bit):5.026919218581437
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                      MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                      SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                      SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                      SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11
                                                                                                      Entropy (8bit):3.459431618637298
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhTLV:WFLV
                                                                                                      MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                      SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                      SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                      SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                      Malicious:false
                                                                                                      Preview:version=6.0

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):95792
                                                                                                      Entropy (8bit):6.184818983275012
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                      MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                      SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                      SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                      SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):95280
                                                                                                      Entropy (8bit):6.002764283325334
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                      MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                      SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                      SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                      SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.656654225594367
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                      MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                      SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                      SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                      SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52272
                                                                                                      Entropy (8bit):6.410547751816252
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                      MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                      SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                      SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                      SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):398896
                                                                                                      Entropy (8bit):6.13440642371392
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                      MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                      SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                      SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                      SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):883760
                                                                                                      Entropy (8bit):6.071525670553409
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                      MD5:022108AD251A8942E295269CA824DE07
                                                                                                      SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                      SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                      SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960711597816388
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                      MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                      SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                      SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                      SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):284208
                                                                                                      Entropy (8bit):6.117274836584594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                      MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                      SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                      SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                      SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22064
                                                                                                      Entropy (8bit):6.676829122620627
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                      MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                      SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                      SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                      SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):97328
                                                                                                      Entropy (8bit):6.241615255803021
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                      MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                      SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                      SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                      SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138288
                                                                                                      Entropy (8bit):6.18032959054322
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                      MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                      SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                      SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                      SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.672454142602205
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                      MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                      SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                      SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                      SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):384064
                                                                                                      Entropy (8bit):7.999354812539926
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:oT+//Q9zzulKCWBQWv2SaUi4QGX46RIpikyZVsEJ4edsS5OmBOGapgfFwchugV7h:o6//QYKvQe3as3vt4edsTEHapgfgt2/l
                                                                                                      MD5:62BA835DA9186B6F9ABA75DB02BDA457
                                                                                                      SHA1:73CF400D8CA1E32DC336344778E43BA5F077659A
                                                                                                      SHA-256:3F7E666C873A00E2FC36561CA3C6554D64EE592CA6D7AAE44C1D578A4BA952C0
                                                                                                      SHA-512:AD12DDCF069B1E41895C6FE95B4206AFD5E41FC36078323B0CF5084A90322106366B1058FD19F4A7A2E3298B59EE06CF8DB75DFCEDAC3377211216A81DD86CD9
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......G.X...M........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0................x..$.C"c.._.9..).....o...."\..`J.<..5..`..s.wUA..H..?I....L.P6`.)#.V...HV...T....C2P...(.D..y..O..%..[f.....U... c9.G@..g.......G!b....:o....7..~.h.s"5.1.u...\}.{l....<Yz...rj.2H6.......K%....SR.3.cg..*..o..z..k>...2.T......nz..L.....*.b."...R...p..k.=3.N.I...c....ht..*..Z&i.J{..,:..}... .2.........e/S.....{wr.+.=.....#`.LKl....4a.+B.:..T/s?..9.,#T..w...;.Q.X.F\-..Z.......`W.W..Y...j.E.......;..74..W..d.....o..x.m{...a...K}.....i)..H.a.*..<.m.;..I..1..Z...v.i....!.*.'[..`W..!../.<...."..u;W!Zgkfr.xn..,..8..{u.E. .#5F.. .(jD....:.&S..D.&......g-B#...:.2.....hqH..YY.......`..Y.;*.g.>0.......@d.=...Oiu....<.H...z..j.6.|'...9 >..d(l..B. .....5Pl.......cT...(L0....s.8 0.....k.e.pKo.).2P.'b."`d.N...u.%.l'z$W.....,j....OY.X...%.(..*.....{s..l...H6M.>S......@u...^c.#e^..l.......wU{..L3....5......K.xU....~.;.0....=.....a.j....o...C..~....$.(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):176176
                                                                                                      Entropy (8bit):5.810538753278762
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:8hu0H1+EJQCH77wKu8MFZYfAZN8nCq8vwzZhq7tZ:8hu0H1+EK27wKu8MFZYSIZhqn
                                                                                                      MD5:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                      SHA1:F0EC4BB9BE94EE250ED38E88A87B65E727A9A058
                                                                                                      SHA-256:C46A613D72F89B5886A79B742AA845152505734642188EA710716F63FB775C77
                                                                                                      SHA-512:1FD0EADD36D9058E7BC4AC06108B0430ABD5D43BC14100593352FD2F5639547B92BD7AE9691E219A26A90A80E4427DAE687A2312DCA0A48F71DD3ACFF9494752
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(}f.........."...0..|..........f.... ........@.. ....................................`.....................................O.......................0(.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B................H.......H...........8.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.k.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):546
                                                                                                      Entropy (8bit):5.048902065665432
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                      MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                      SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                      SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                      SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhWan:WTn
                                                                                                      MD5:5114AE785BDC99E7A17BF2CDA7D29A72
                                                                                                      SHA1:3DE3B2F755C832B8D5E6C0EC409448E2F559FFD6
                                                                                                      SHA-256:69DFFBBCA4B0D194104AF8F2E0FCF2B8019BE844149151B35AC0777A26FDA2DB
                                                                                                      SHA-512:87243F0B4B8E45408B39D209FA7AAFF2A844D58E73C431F7887C90B000FD19B12048987218598945D4FAA0FA75FDAEA83FC50583175143DF737134A2BDD27D03
                                                                                                      Malicious:false
                                                                                                      Preview:version=37.2

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96816
                                                                                                      Entropy (8bit):6.18002703527251
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:9Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwX:9QUm2H5KTfOLgxFJjE50vksVUfPvCy
                                                                                                      MD5:DDC6B969B5DB1626766381FF12340FA1
                                                                                                      SHA1:6AAA12B989EDAAD22E1DB21127DDCFFD8951930A
                                                                                                      SHA-256:CEBE42FBEE50769C3CF9CE1ADEB4FA85046802B7A298BDEAAC3278CF4B653525
                                                                                                      SHA-512:B86D9C2E1234960F6614B6E6D790EEAFB093DB4CC1C9A2C4FE55EF0D4496D79B673F1B373BEDB036D23246FE1D3B7370FC0A195F59508A0566BF101401480F6E
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................i.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):704560
                                                                                                      Entropy (8bit):5.95412318973471
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:t9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3c:t8m657w6ZBLmkitKqBCjC0PDgM5M
                                                                                                      MD5:6EB75A19A6AB8F9DE3886261B399A8F7
                                                                                                      SHA1:7FE98DDEC3FAA1362167BE26B5455283E7777881
                                                                                                      SHA-256:D1A4D5FB2B89A96A3EFFC149D0A32B72182D37B59414AAF78E202D91CF408A68
                                                                                                      SHA-512:383C477438A3654DCF5EB984626715D14AD6C771692B28326EE2212034F8B70D4430AEAE677532C66619883CBE86456602E544F2E0F0A98770F69BE3956504C1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):4.660431349372335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:hsShKq4MsShLP6SX9NfzyShaKf0OTjGShaKf0Od:J4qBX9Nf1Fd
                                                                                                      MD5:31D6675E89C4B4E606332A439C720405
                                                                                                      SHA1:1A9810767670BA47A5B18ABF8F396F02B5DD092A
                                                                                                      SHA-256:94D5364051DD1C885D1D2B6F6DDEA355621CE0B50EA61D21211A4FBD46D4903E
                                                                                                      SHA-512:603EABDAF91D02288F69B9ABD3C23605768C52EDCB1073DE098F574ED89A8A8CE3F8184C0D638B0C837480A8ED4028194DFB74EBB4E2740B2F436C99F4FA5487
                                                                                                      Malicious:false
                                                                                                      Preview:......................TAgentPackageAgentInformation, Version=37.2.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]................-M...H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):35
                                                                                                      Entropy (8bit):3.6827347174280898
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:dTSwk7/:d2w+/
                                                                                                      MD5:48187A3441B70825F01C06EA30D6B2F1
                                                                                                      SHA1:E49CD4F37CC4FFEEC2E9AA9EEFFDAF57A3FE7214
                                                                                                      SHA-256:2E6ECE9573FA935B25BED7093B788F2284FFBF67225915E7576E2B64EA0EF061
                                                                                                      SHA-512:600BFF49BC44AC1D64AA8C8EB18C40FC2875C4113AFEE161E344C5AB8237444CC29E053872863EBFBCBFC08A7162BB2F4892F3D7A46F8D812D64944463CDD516
                                                                                                      Malicious:false
                                                                                                      Preview:.D5D63919685EA090AAFA10F4DDD55F81

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):35
                                                                                                      Entropy (8bit):3.677028119136097
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                      MD5:E49A5284D2F384905389D53944708C48
                                                                                                      SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                      SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                      SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                      Malicious:false
                                                                                                      Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):310625
                                                                                                      Entropy (8bit):7.999405140969265
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNINv:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdvF
                                                                                                      MD5:C728ACD21B22354974BBC7DB824F8B97
                                                                                                      SHA1:F18C8153D0FCA47FEB5B530154A4E67E86495A96
                                                                                                      SHA-256:3E624F954882F531CE6194454BA5B88D0544920BDAC7C5EBFECDD62ED67690C4
                                                                                                      SHA-512:5C7F82DE50DEBF5BBCCD96FEF8BDEB85E160F1DA08C8EC7B140E988FD16BBB9AF493E24C5479C9110BA32FB8D4A5774DD2374DE9530501B3BE4B383529C58BE0
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27696
                                                                                                      Entropy (8bit):6.448893455648887
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                      MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                      SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                      SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                      SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):542
                                                                                                      Entropy (8bit):5.041389931890446
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                      MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                      SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                      SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                      SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):13
                                                                                                      Entropy (8bit):3.5465935642949384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhUv:Wm
                                                                                                      MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                      SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                      SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                      SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                      Malicious:false
                                                                                                      Preview:version=17.14

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):93232
                                                                                                      Entropy (8bit):6.196023578677744
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                      MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                      SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                      SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                      SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):671744
                                                                                                      Entropy (8bit):5.893336561237734
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36Q:fBA/ZTvQD0XY0AJBSjRlXP36Q
                                                                                                      MD5:C3689CE3217DD82D57880C31B89A9437
                                                                                                      SHA1:051E913AAC2F4345D2364894C4154ABD287DB3FD
                                                                                                      SHA-256:9367CB126577146DB3B9C26DD00DD71C7B228F30C0FA6C698FAC26CAEAB14D43
                                                                                                      SHA-512:3471C18A4D79ED7C5FD268B25904EA2D6F3A15551B6517BD23ACD8ADE84FFF301492EC6C8861624E6F2699CDF9046DA2A8BAF351FB88EFC3AD4673A42AE57F7B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):833993
                                                                                                      Entropy (8bit):7.999644881255343
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                      MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                      SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                      SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                      SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):219696
                                                                                                      Entropy (8bit):5.943430076853408
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                      MD5:01807774F043028EC29982A62FA75941
                                                                                                      SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                      SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                      SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):541
                                                                                                      Entropy (8bit):5.097123194334321
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                      MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                      SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                      SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                      SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhXWp:WBc
                                                                                                      MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                      SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                      SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                      SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                      Malicious:false
                                                                                                      Preview:version=23.8

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52272
                                                                                                      Entropy (8bit):6.300719339270839
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                      MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                      SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                      SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                      SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96816
                                                                                                      Entropy (8bit):6.1801131806578455
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                      MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                      SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                      SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                      SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):19
                                                                                                      Entropy (8bit):3.181366328891459
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:hqzRYE:hg
                                                                                                      MD5:E4E9A7424C2B07AEC9DA44DFF68EBA31
                                                                                                      SHA1:757FF0CD62E30FF9D1E41AB58E062AFB74F99C5A
                                                                                                      SHA-256:C7ADC87005A37511341151C619C9745F4088F1969206CA46CB0ADD5EFE18746F
                                                                                                      SHA-512:AB59172A09C43C0F07D353B5D658A63F1D7CE52B2F8EBFF76048713FBF66FFAC64E98867B827267C22297CBEB73AB8C377FB6776C8E8C939ECC0AE104EEC77EE
                                                                                                      Malicious:false
                                                                                                      Preview:29/08/2024 04:34:18

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):499760
                                                                                                      Entropy (8bit):6.056862695710082
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                      MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                      SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                      SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                      SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960733432365752
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                      MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                      SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                      SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                      SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):277040
                                                                                                      Entropy (8bit):6.190626027944278
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                      MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                      SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                      SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                      SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):149552
                                                                                                      Entropy (8bit):6.059724018456156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                      MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                      SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                      SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                      SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27184
                                                                                                      Entropy (8bit):6.334370226233819
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                      MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                      SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                      SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                      SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.955083228632948
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                      MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                      SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                      SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                      SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):639
                                                                                                      Entropy (8bit):4.836794363599535
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:wcIytXE6rcIy6XEOMrDlr24ECuZDfwSQguJYr6uUHFrr6uUHFf4guL:wstXnsW024E5fQZY2H52HO7
                                                                                                      MD5:C1D9F895E192E2E2E6CFBB151391B4D7
                                                                                                      SHA1:58596ACB333063BFFF94D664C319AFCC242467F1
                                                                                                      SHA-256:7C92802C7A9D4DD79B43138B2EDD0D4BB32646BFE364450D482C3536D7C227F0
                                                                                                      SHA-512:595EAE5972C3644A10C87849DE0460C05A7711FA12C002DEFF823839D98A04D351B1BDE8207BC1C5FC32CDBBDE1E51DB50DB06EE72D18E0BC5B72857C456C029
                                                                                                      Malicious:false
                                                                                                      Preview:29/08/2024 04:34:16 In Program static constructor, before instantiating _logger29/08/2024 04:34:16 In Program static constructor, after instantiating _logger without using _logger29/08/2024 04:34:16 Starting Main(), logging without using _logger..29/08/2024 04:34:16.624 am: Info: Before PollAll() call written at: 29/08/2024 04:34:16..29/08/2024 04:34:19.015 am: Info: In PollAll() before Poller.PollAll(false) written at: 29/08/2024 04:34:19..29/08/2024 04:34:19.046 am: Info: In PollAll() after Poller.PollAll(false) written at: 29/08/2024 04:34:19..29/08/2024 04:34:19.046 am: Info: After PollAll() call written at: 29/08/2024 04:34:19

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1242459
                                                                                                      Entropy (8bit):7.999705337724571
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:ZQXvdoybigLPNNmXx5B7u62Axnj/7NAckRq/QO8tf:KoMFLGXxn7t2ARjheh5
                                                                                                      MD5:DE647C2003B0AF989D2E87782CBDDCD4
                                                                                                      SHA1:BEDC6201C49E8B26AF38D4A81AF7545ABE4E27CD
                                                                                                      SHA-256:74732E18B4D2E436952D9BF13AFFB854D570E2E7BD25F5AE6884195A4343A697
                                                                                                      SHA-512:34438F6376D283B6E5D1D2E60B2A2A8411641E2EB89ACC173D0DB409645FA37D1D67ED47899ADA434E9BEBF054867D8EAEF14BEAFABC116E30A76622D2796A4E
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......LrX./..........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......FN........U./Ve...j.K.IXm..._f.n....f...;F...d.Z..S;N?..$..~..W...41..9....|..d.....H.>..Q..".[.Jw.....}...l.....j.8....1..1....J>.....,..Sl....W....!.6...bV..P...sb.r..^.fq...Zr.!.>..<....".x..}..O.=|./r.*..4.&rI.6!...V.......N`'Z.....o.....%.G..f...TB.....9....p.b.cv.~... ...^....m.=<.}...Xp..~;.....o(!..V.'....:.j[.G.2.....8;..*F..JD......~...d..:.>n.T.r.l.....s%.......%...>..!C..E.<......C.A.&.F.....e.+lR.}....d...3T.....E....g........'m.M(...H[.....u.WC.,.S3p..=9..z`...\4..3........i.\C..dZ.$....Y.8...*Th."..k......)a.$.....&.2....=f.......NLl.....Sye../. ..I......B.R...!.6.].[(.R6."v.V.`..|...b.$.S..M....6..e...>L.i..<[..W.g<Ty.;/.F..rJS.8A....W.26.H.q..A.4.\.h.....<...M.I.{.%....>..ey../O1...~...]G....S{(_..36e.)......5..j.U..a.....X...Y...u.I.hsU.j<.~0>.R..B..(.-^..0.....M.Cp2.y._...0.u..B.^.j..W....>....d.._.`\/.....FJPu.....rrW.^.....#.A..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37936
                                                                                                      Entropy (8bit):6.420777740976457
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:TlK7ivy767zzumHTxUxx/u4sEpYinAMxCczxx:9IS6mHVUTxl7Hxhtx
                                                                                                      MD5:601E661FD5917647D8932600560E6A27
                                                                                                      SHA1:C259050D22DDFCCD00434FBDF4660668E45A1D45
                                                                                                      SHA-256:0F1A1F5C257AA061CAEF7FAA224959F60F8E257A5A56ECD02BB9E8BE25EA093A
                                                                                                      SHA-512:8A3822FB7A1FA5C08F9FFAA7F3FA91FFF2DB795CA17D259D3C51264434D86325E20E8398D4E3785E143AEE7430A35287112C52A876E163F5AC8FCA414E27FBFB
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..`............... ........@.. ..............................d.....`.................................]...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H.......05..|I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1295
                                                                                                      Entropy (8bit):5.018953579697613
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                      MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                      SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                      SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                      SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11
                                                                                                      Entropy (8bit):3.459431618637298
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhUln:Ws
                                                                                                      MD5:5652F0418016B3ADE276CAA479E9D5B0
                                                                                                      SHA1:8385D87585086709BAC2E028432AB505875DD0CF
                                                                                                      SHA-256:5E29BFF135603676BF4545FBFF476A3C705FE61261F7334BB71C55F9DC8FA095
                                                                                                      SHA-512:8B9F9606D29895470277D78C78EBB0A9487F012EA9FD92468791E1B33E406E14E9A7DF02391F62475229051E282DCF15A5977132FDF6D2C1769C69E572C3E8B1
                                                                                                      Malicious:false
                                                                                                      Preview:version=1.4

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):92720
                                                                                                      Entropy (8bit):6.197723114252408
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:XqIbONGJUSMm8E0/N4El/5qn0k8sSU0R1g7Hxt:XqIV8E0fJ5qn0k8s81gf
                                                                                                      MD5:9730ABA0BFA904FABD79FB5E3F2083A5
                                                                                                      SHA1:5D8A6F97D6B729121A7409EF881452E8A8532E74
                                                                                                      SHA-256:9D3A9CB8F40AE8FECDCDD953C12574DCBF0D1B411ED09875A6E1194D323DF97F
                                                                                                      SHA-512:0B46876C6C48A7969FB4F548CDAF9927FCA5949F005D75B9DAA3EFE181839963D3BE6CFD34962AB7111BDB577CD0881E80EF494770B66752D4DDE7A2596EB4E8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.tc.........." ..0..8...........V... ...`....... ..............................$.....`..................................V..O....`..8............B..0(..........`U............................................... ............... ..H............text....6... ...8.................. ..`.rsrc...8....`.......:..............@..@.reloc...............@..............@..B.................V......H.......$f..<............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tL...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):95280
                                                                                                      Entropy (8bit):5.998458771567579
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:niLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv6:2Z0PMcjrgv6
                                                                                                      MD5:DBCEF7625BA26E5F98BFDB57EBE860F7
                                                                                                      SHA1:63748B8CA00E8D0E5E6F9EF8079959AB5C776208
                                                                                                      SHA-256:7F83ED5B26F7BDEC092A468D4CF5F24FD8417EF11D479FD78FEC4CBAC74BC193
                                                                                                      SHA-512:9902A9A794D30A21681156C54C868B276F6AE294DE2D40FBA9B2448F853452DE15583A9485BACB7600467173DBCD99A1571E62F2E56FEBABBBC812DB03E5A7D7
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ....................................`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51760
                                                                                                      Entropy (8bit):6.406771850554805
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:cQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCH9I:c9MYn1seLE8JFMLcyMH7Hxh
                                                                                                      MD5:BF0A1971F65A9FE73F8E048BA390710B
                                                                                                      SHA1:FCE44EC8DD092BA5D76ECDCF7ABC8912AECD7EFB
                                                                                                      SHA-256:F9A2D469C7FDDFD29DD49B617141F3DFAC3F98F9218198CF639887E72C7A1F82
                                                                                                      SHA-512:490DD7021B595239A98BFFA409667D864249408355E31A72251EE68700562BC90A03192C3D3C3379224876077758BB78DB337242AFD9F6F0F79E5D03AD0E36CB
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):354352
                                                                                                      Entropy (8bit):6.153608452030037
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:Hr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYsn:Hhpp9xxIBeXGfvYsn
                                                                                                      MD5:4EB845CC376117FBD7456B5116DEF8EB
                                                                                                      SHA1:CEECAC7E66E327A55E8E8AECA34569C1A98AE618
                                                                                                      SHA-256:3147327D5B6FDC6213B8082D0A5E469EAAAEB127F9D25F5A54F83A09564F920E
                                                                                                      SHA-512:CC96AEEB1C90941EF51C9C9BCE8E4A304F33F868CACA1655CD1ABE0F110337DC4B2486F9D57DF493CBCE8B193A44561F03133AC10B2ABFB0CFA221176F8D9206
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):883760
                                                                                                      Entropy (8bit):6.071423352723142
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:x1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQK:x1n1p9LdRN39aQZUq3
                                                                                                      MD5:BC7133B1B43617AAD9B6CC4BABF49E8E
                                                                                                      SHA1:424AFEC5BBF4523F651A6AD2EB14EF0EF7CB9FA6
                                                                                                      SHA-256:E3FF7C72FC6AE0F4CF5F2F5463F7C232CCF73A9496A1A8B2E82D793B85DFC39A
                                                                                                      SHA-512:B73DEB87F0C0155CD98B9F92A4A9FE04381C1F5D98F47E3E6DA085087AFFCD6050850904CA5FA2D770465516A1EFFA3DB88EEA8198B4366E6944A8472E68BB3F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):702512
                                                                                                      Entropy (8bit):5.9432161483973
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:Kf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH6:YXNL2PVh6B+Bzjmca
                                                                                                      MD5:F2182E7F039D5A08B27FFD8B12DA12CE
                                                                                                      SHA1:140F1BE731C0F6C1A2AE221B5E880B37807CA539
                                                                                                      SHA-256:DE0AF87DF1D85E9D877533899B428147D961F3AD87555A997793AEE2C4EC3D14
                                                                                                      SHA-512:AF30D9DEFC925A56F963FF1B023A260B851CDE5E1FF57B8213268753E1833C2F3BC7977E97332B2B2ED2D6A20B515A7F562A3DCA4DC960125FB06073F8AEF0B6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ..............................+.....`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):285744
                                                                                                      Entropy (8bit):6.189807833908334
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:hZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPnga:hZeZ6ANRIru9/pcMkoKV64SrWB
                                                                                                      MD5:C248CF206D619DCC9DFDE1905C56ABE9
                                                                                                      SHA1:7E738C393C9C356567FEC91DD5EC9F8D7201107D
                                                                                                      SHA-256:17437BC5E33AE2D4C02DC19844C3EFED74B8F07EFDFC7E7F21E7B76162AE5C2A
                                                                                                      SHA-512:6EE09AC010C65D2C02AB25DDDB8530ACE7D5E8342764D4F98DECB94B02C18B593D22322986264327FEE2DDD3F4FDE630F63EBAEBF274D57006549D53FB9D68F1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ..............................Y.....`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):284208
                                                                                                      Entropy (8bit):6.117313368373633
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:tZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHW:/go0WPVTXg2
                                                                                                      MD5:E7F7F8366DAE3FF49DF0A042E766B823
                                                                                                      SHA1:13163C2D38244CA3043DCEB6E35AA9E35E5460FD
                                                                                                      SHA-256:28FE2BB6DC8063506A50BD16EA75CAC63FF87D6C94FE8C820EB4C7C070DE0AF3
                                                                                                      SHA-512:154AE5A8F1EF145609158322EA1ED22A815643D980C82589A708C72471626B2A754EBF5CFD3B017229A32775B581F4476AEB2DC8BD10B6D8CB2842586CD514BF
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22064
                                                                                                      Entropy (8bit):6.677875130083087
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ey/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqh7:euhMaVmzDC67EpYinAMxCr
                                                                                                      MD5:AD27AA5DF0CCB993A7C533ABC2B12BC5
                                                                                                      SHA1:601A025FB69A53EA8627AD124BCFC6689E15C3B8
                                                                                                      SHA-256:C3836ED94362FCEAEA5EB3031CE226E3A2188196B335FC12AF5379754F3BEE6D
                                                                                                      SHA-512:FD462C30EC56D26829873C7CC437FC9B7B65DF094247486982964F8347D53CA31BC62B6926CCD242BE5C59F11E929F2945C6D15AFA13E46E7DCE68171FD7DAB8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51760
                                                                                                      Entropy (8bit):6.234800508786839
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:fzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWX:fzpjF0/t043e3vggr83jMYa/hU7HxVX
                                                                                                      MD5:2D33C7F58A38D1EBD9167DDBB846C552
                                                                                                      SHA1:96A22461836A2D9D0A3D945B1A000B601DD112E2
                                                                                                      SHA-256:46DAC445CC521BBC4763E09E344CE47E89C9ECFCCF359BAB5E7DDA158798B61D
                                                                                                      SHA-512:164F50BA58540FDF9DDD0147BF36238FF2A5F4CE5F317C1B0C6C6967DB353537B7744DFDE67F0FCDA14C1671635E1E191D5DDE6FA258054E92247DAECF180580
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138288
                                                                                                      Entropy (8bit):6.180026310625973
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:SP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlW:Sh0qjC5RMOHO420kN1p
                                                                                                      MD5:FA1958277D8991A2CA3DCBEDD326E679
                                                                                                      SHA1:FF67C65737EA8EB970D58397AD41179DFD7D876D
                                                                                                      SHA-256:F90DD27CD8064A93700C114BA8479741030E99356FBB120CB03BC341E88EABE4
                                                                                                      SHA-512:226ED579CCD8D4CB7705A0245926A25226BC054884A55AF6BC8E707A5FA2EBF38E3094F15F309999F3D05695E7B3C9CE5022B5EAAE6E2E5E092BEDB6B9A74B9A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......E.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.67630363450165
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:dh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBw52Z:dy9eEpYinAMxCAUU
                                                                                                      MD5:C8A500FA8517ED60D8294125640CE6BF
                                                                                                      SHA1:8D056F18F46ACC3798214CFC46A9A849DB83BF6E
                                                                                                      SHA-256:72B89634770625E6C891B8336755B6A341C8B5786C3728D9D679B756718A2DD4
                                                                                                      SHA-512:443CC856D319F519DB75B9359C57F6410821DBC3F57B4C86EC66C18285DAC7BE6FD983653343B43278553B92A7AF07D1911FA5847B8F884EC04BB8BCC8054350
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................+.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27184
                                                                                                      Entropy (8bit):6.332745078390322
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:fn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCkwZ:fnvXYcIh6yFIFBYpc47HxlwZ
                                                                                                      MD5:D62F04C397D229F2661538F299181122
                                                                                                      SHA1:03EE3CF62888CA5BFD36B042D2E1F90F5741E0EB
                                                                                                      SHA-256:3F07F423C81340FF2BB705C599BEA8267932EAB8D5F9E2D60BC54798C3FF6CDD
                                                                                                      SHA-512:C4F91003ED7D13BF4C2E06CB462920C6D3550F76F4D0F63D3070F760A874B3EAF00813BC0871E5E3FED5DAEEB60D1691A1AE93246A0ACCCE518512B8AC3DE56B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.955144932150523
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:8784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRJP8:87N1r9KGI04CCARLB8
                                                                                                      MD5:328BA848ABD9A548F19263D9E43B7361
                                                                                                      SHA1:DB4D58DEAF5EC79F620EF1AD5BFF9E28F8EB0D7E
                                                                                                      SHA-256:B282E0543145778A695B875E82908698A38B0C0DCB9F88BAD135823EA69A9D94
                                                                                                      SHA-512:EC8DDA91192109C5E981E2EF73CB5F7169DBEC36B32221700C8C759883B7FE2176575A39C3CCDF7F4C3F6351560C9E37B884D62154BE6558875F117638533301
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3585011
                                                                                                      Entropy (8bit):7.9999193745697
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:49152:PifnPfXNZMNdg2I1fVkjUhN0ToFwQGw8tQRSm90p13l95Ogl5xs35F7gzzTaCzZw:PSPfadg2IIj+N0TK7SSKjUglopWD/Py
                                                                                                      MD5:25EE719E8A32A0C5DFC57A5923FE32F2
                                                                                                      SHA1:F48E0549F5F05476EB780E78F7840A98B4375193
                                                                                                      SHA-256:A5CEB8392D19691CFC565D6DE595D829D474B9B095557A55C1D11BA475E82836
                                                                                                      SHA-512:A7483CDD47E71AE7570AFF30D2EC9E8017DFE5BA6488A8E14B538912A0E3AB286BAF764A13553D30170D874C5F14EA524C5D878131304C74838AA8E0952A2831
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......i.X..J.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0.......(m......%..Q..a.x....EPwA.}.Qq..I..u4..w.J...^.........p......+.`.......'7...F........r.M.{.Cw......4O..0s.M(N.p.Z.@u..h2......]%......2..8a.9.^oG.......\Ul.......hC(.......nE.......l.c*>y..U..l.a.......z`.q&:..?....{m...H..B...=..6y.y..O........an.f.1yzT...2...jA....3r....R(..w.K...`.8:..y...%...e....%.....s4...G`!....w.'~H.E....6:mo...r..<(}r...TF...^s..`'.*.....~^l..l... ..<|.a..%C....t......#...X*j....7.L@..`=...... ....3WM.......O........F.E............xE.]....i@"....5.nM...,dt"E.Y=;vj+Z.].U.<h...*.0=}c.....S(D..jK.....o.t.1I...p....p....k.M..OPo.L8.......kr.VI.N'..mN..I..7/nl..e......h.{....\.c._.lR.%..3....Pj../...D..@.......%...1.AP..W.>.,..t.bWB.Ko_.9...$.}.#..1T..F..H..UL.....5.a....S..&..de.;=A.u...W...Y..}.A.T@.\.kN2..6h.c.... ....DB.PI......6..$1..$.C.....&...P..B.%.,.H"..D ..hx......h.^.c..&P._..@....../.q....q....}.....6... ..n

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):396336
                                                                                                      Entropy (8bit):6.250697507262227
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:1fXwAmmWkxZjUCyC6ulqODyu+1QsF9K7SCHp5ZuI5MXd0XjkcdvCtUovOz6E8DnB:1fX7bwG6ulqJZaS5kzdKtUYOzMu2h
                                                                                                      MD5:B50005A1A62AFA85240D1F65165856EB
                                                                                                      SHA1:EEC370FA998AFCD06227DCB1BD5E6E2D36073693
                                                                                                      SHA-256:1867CF4FCB38F7E7FC98DDAD180C26A717360DF688A8EABD9F325FDE3C16F5BD
                                                                                                      SHA-512:63E664A8C12F27EF4C273330A8CE322CEACF12649C2BF61617ED8E394C43BF2CCAF1C2A14E2CE8807C11CE5EDD653FC7F942D0F4919923B37E1174A67393DBC4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5..........."...0.................. ........@.. .......................@............`.................................J...O.......(...............0(... ..........8............................................ ............... ..H............text...,.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................~.......H........-................................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1459
                                                                                                      Entropy (8bit):5.033662307409642
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                      MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                      SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                      SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                      SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                      Malicious:true
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhW8:W9
                                                                                                      MD5:72133F8B7A6B747D14AD3D4BFF8CA002
                                                                                                      SHA1:476623D1CA063E5F7836DEC97384F79E9DD04786
                                                                                                      SHA-256:531EFE3FB7CACBC23B12FBEF7B426A3EEF4B4ACA64C20DF7637F4ABD46CF1FC1
                                                                                                      SHA-512:4292C7513F4843543FDDA960271E060648C7690AB48477FCE27C00220F5216FC813114078E64886AADCDD5FD42AD96DB447856C11FD5954D6B1596B744CD5F2C
                                                                                                      Malicious:false
                                                                                                      Preview:version=36.9

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):102448
                                                                                                      Entropy (8bit):6.190419076161021
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:OPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxc:O2bYbYSWd85I5sSakFQhHL8G
                                                                                                      MD5:F64F56F2E4DFA797D5CB4B1CBA08644C
                                                                                                      SHA1:3C2DCA64758145239E2AEF45E05CCF6BF9A7FB8D
                                                                                                      SHA-256:F23BBB31DD11D74343840FF81E37F73FB891DE7E8C6596AEED2C405DBA97CFA0
                                                                                                      SHA-512:19181FCF32B176E9D24677DF8D740D5226F5A7D044DFB24725645C951F4F7682D9CA521F62E2420C814EF177BD20F0C470B54D1C710713F75ECC7F58F7C30CCA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................o.....`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):95280
                                                                                                      Entropy (8bit):5.996740439887868
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:t4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsN:t4auS7S5Ea6WMcpu8I
                                                                                                      MD5:EF30D465678A904C773B58CC3B1AD66B
                                                                                                      SHA1:D08C5968C279790EF2D10BF2FFC1F2DE937ED4DD
                                                                                                      SHA-256:A5FAFA659C8CEC0FF892405939E3BB32269845D4509763ADD219C15E7D2A8710
                                                                                                      SHA-512:521E64502F81A789DFB6D4FBE545F76DFE32C7998222CE3002DCEBCE5550D60AF6F29C30F9A4B8B888639CAEDB8C718BA34D88BCCA782EF13E8CE3A81ED537BD
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................7....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):75312
                                                                                                      Entropy (8bit):6.240212933460331
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Su2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY1:fF+qo7mDEwj4NXLGcfgruFcg7HxRv
                                                                                                      MD5:E307CE14EC46071E8D18B6E281A4F955
                                                                                                      SHA1:2AA8E6FFF7346019682148DCBCEF44F72ECC4982
                                                                                                      SHA-256:E1E9378C07B6783755D1CB46115A1791651588BD172BD535630C306198D384A9
                                                                                                      SHA-512:2D7A23FF1D4837FA51E9C93FA0FAC0CE4F5C7744DFED28DD87C75CFF550DA121D0383F488316FF056E60C1068F59A3634E0B09D62065271B1773B73E99C54D4F
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......9.....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51760
                                                                                                      Entropy (8bit):6.407791203959866
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:GQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCkU:G9MYPJS/16/E8/3A+++bF7Hx3U
                                                                                                      MD5:A36553BAC1F9CBF5ECBC13F7BB830E7B
                                                                                                      SHA1:2BDACF2F0FD7ED5F3E62E4888F0A9034E8882BFE
                                                                                                      SHA-256:CC527E9A3E527C9907D1AA00564057D070BA9B269B9FB2AD8D0F3DD380CBD3B4
                                                                                                      SHA-512:9B3CD927725CCA3B2159F91406EF472506348BDB9CF1066386E1DAD1E9C2C4F4A72BF7A936AC9694F259C9F73AFB71B1CC37F9B5C0B1FF3D0259D1B9BD3214B1
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):155184
                                                                                                      Entropy (8bit):6.247738832262604
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:T0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+Ykt:IP80zukOltwWk
                                                                                                      MD5:CE4E3B687617A7C94D73539DCD89FA73
                                                                                                      SHA1:4C6519693D081D9F03503AA5CA3312C41DA3F981
                                                                                                      SHA-256:DF753760463622BBF573AD25AC4B5184727D1F232FF68A17A1601F39377DBB76
                                                                                                      SHA-512:FA0C76247E05C1577B767373DA659A4876B3B39DA20D3D0CE8A73779306C66FD3A2A032DCD47D11A79F1A1A2A93E242651F8650934CFB98C10D4E50F111F8F90
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215088
                                                                                                      Entropy (8bit):6.03083318319815
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:m1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sV:5Izm6pOIgvr7s
                                                                                                      MD5:A58985E020BB24EB28C965043EFBA9F5
                                                                                                      SHA1:709CB8780E30484A788EF6EADB8B76D30491F66C
                                                                                                      SHA-256:1AAED0562F7379F1998E50A9C0F8CBCFCFEE65FF2EF3C5DE2ACCD56764418385
                                                                                                      SHA-512:291CBFB3A468DA06CAA0D02B04CE5109EA3EEBDD1B4B0918D9AE45B7DB9FBEAE6842B35D4C9DF99373CAF54DFBED714577C959BE2C9DD9AA92FE2774860842C8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................HW....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):354352
                                                                                                      Entropy (8bit):6.153514122272104
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:+r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYy:+hpp9xxIBeXGfvYy
                                                                                                      MD5:B2F1B38E6DFFE1FE761A0865392161ED
                                                                                                      SHA1:D9196465705125A228494A28D5CE3F3F2C7BDB36
                                                                                                      SHA-256:8E958FEA067350A1957FC9E4F3052A1B8D28AB95D4E26A072BCEF0794FB8A398
                                                                                                      SHA-512:6E4B6BB945EF698F4552E229E6CBBB615060722D2D1E8F5877200C37C4EEC8AD683C61DA701CB9A09C79673ECA96AC8CAFC3FDF70BACD2C5507C4F0ED78BC1E1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ..............................J.....`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):883760
                                                                                                      Entropy (8bit):6.071481963565208
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQU:V1n1p9LdRN39aQZUqF
                                                                                                      MD5:CA515F4F34826F5ED5A8FB7D3259FEFF
                                                                                                      SHA1:D31158793EBB4E0CBE957158F2E42754CA826A29
                                                                                                      SHA-256:5042E33133E0422F51382C273153295DF814E5CC2FF2A4FD0D973B4AF54D4933
                                                                                                      SHA-512:1336E658AE6097598F3508424085AD288AF4B60D4FDB821A10BAC712492652F7BB06F3E53556CCBB7425A63ED48B53D368481D1F142E6B58FF7C4789737A3CFF
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................n.....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960477572931558
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU/:hBA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                      MD5:EF06D200D340C9798A006F304119BA82
                                                                                                      SHA1:C08B838DAC97CD1376D934FB5ECA982BEB19D493
                                                                                                      SHA-256:88C838B4EEDFF929AFDABA2BA808775B1979C5C9BD7AAED36525CB1A41D8A8FD
                                                                                                      SHA-512:E67597F90A504A1B7C6AE838C8F82BF9928D49B22E896592623E9473147F8C05B974E86567E40D93D9C59602843A532034ACF5BAD2EAD78962AC2435A63E80A7
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......K....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):293424
                                                                                                      Entropy (8bit):6.121578040837099
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:vdmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yt:vdc7N/WkQHr64t
                                                                                                      MD5:C329213E3BAAC31E55B7E57C9B5692C1
                                                                                                      SHA1:C858EFBB991254A929A0D7BCB1087628501E6DC7
                                                                                                      SHA-256:38C66E322E92172722E36001F2C9E6151655CFFDA8D78BA730B1878FAD793FF6
                                                                                                      SHA-512:C86F49F789B40E4EEC295CB652CFC63FD5C87E51029AF975AFEFA86C57BB6A9E52DAD54993FB7186ECE73BA905EF43C50E11B85F221EBC59698D8E1845FA90BC
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................`.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):277040
                                                                                                      Entropy (8bit):6.190744437011799
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:qSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYE:luQlBAMW0BvltxZ6h
                                                                                                      MD5:D6F46A4CB8CEB824CD1763B62B8F71A8
                                                                                                      SHA1:9FA3A8318D93CBDA86D2843B0783CDF0E7B28D92
                                                                                                      SHA-256:66386C99B4BCF568C95E93B11E5E89FC78556924C5BDAC9644BCCA7B04291542
                                                                                                      SHA-512:4B720C78E8B3316EAE4FD0BE2499173246AAD3896ED7AF76124A8E565977C27197C73D61474ABA34264F18D5C4BCAF1B51070484CE093814E3CA6C2804AE419F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................f.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):284208
                                                                                                      Entropy (8bit):6.117480150640407
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:PZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHNS:Rgo0WPVTXgg
                                                                                                      MD5:74DD74986D9708CFA8F4B4F0D005B604
                                                                                                      SHA1:55C85D2BD0ACD3E14ADF6D442670BC7F3DBBB803
                                                                                                      SHA-256:7100B1A666B0AA99EE5036E23ACC1BA3CFF2E7B2C73A2EA72F5359374648349E
                                                                                                      SHA-512:6CA3A9F1D10B4C492ED4902631C38F81001BDF256014148A7628166BF1932BBBC9DDA570A295C99F918818EFBA28C82D1E33C1532A2EA8163027C14351CC4ED3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22064
                                                                                                      Entropy (8bit):6.679229646565206
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqUeaT:3uhMaVmzDC67EpYinAMxCuT
                                                                                                      MD5:A4EFAE23A302EE53F0A81FF5B3523292
                                                                                                      SHA1:EBB0ADFB9771F4CD61A1D0A9CDFE16CE5621A304
                                                                                                      SHA-256:D1D0C53044B2BF85F5B19CAF709BEFFCED51397AE94C37F14EB94E915C6446DE
                                                                                                      SHA-512:E77C1CEB40F69342C742AACB07016EA6ED5AFB36949E00E85663EA15996C62E019959FDD44E9E0D468C91DBD89CC8EDE10CCC9F242DB7D6C87D2A6E24E6691FE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................3....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):409136
                                                                                                      Entropy (8bit):6.098144476210718
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:qPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1j:06heZBJm333M89QAy
                                                                                                      MD5:D03824AAFFA4923C80E6D8B716D8430E
                                                                                                      SHA1:06CE0C7BAFB16D3E92B35444467DB7DE0A6C7C84
                                                                                                      SHA-256:7782C0F86CE42101799CA9828FABA1798230734D17990637040DCF15F3617644
                                                                                                      SHA-512:59A04EFE8423402F57896ED8D70419ADDF52309024606B35E485E051D21076261098DCBE5F7AA7CE5F8BFC93BE992E94A1AE07102F810B9B1E020529C52475E2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................SO....`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51760
                                                                                                      Entropy (8bit):6.2347643754291555
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Yzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWZ:YzpjF0/t043e3vggr83jMYa/hU7HxVZ
                                                                                                      MD5:520478C4C71D99D43989786250EB4763
                                                                                                      SHA1:748AB4CFCCDB28B46E8226115C88681F72C033FE
                                                                                                      SHA-256:9708914775950619C1F13B1871CAA6FA7874891985E249F82AC60862C68746A4
                                                                                                      SHA-512:1C851D77617A8059491A1F02F81A27F8AE19CCF6EF925F63301F2C20B190BD35CFD60858121F7BA57301684A4685C87F25089040A67D1EB421A4B82AE8403B03
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................e.....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138288
                                                                                                      Entropy (8bit):6.179821808998386
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:+P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlY:+h0qjC5RMOHO420kN1j
                                                                                                      MD5:684D6E74002F9691D8CBCB135B6717E2
                                                                                                      SHA1:9FC0F5E7AF66ACD2BB0316BF28E9CC0201037EE4
                                                                                                      SHA-256:B6AD62636F7224EE73ED95D2E14EB089C34D40BFD2BE21A4C9B02D34CF3FA3E3
                                                                                                      SHA-512:76710039C919E70A551E7768C230732F71A069DA34B8BDB7B9D2B853FA9001F3D37952A90E47373F53C8D323E9CAF6726F319FEBA632C2E98F5E06716B1C8EDF
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......M....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.673219933457599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Rh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAj3IR:Ry9eEpYinAMxCAcW
                                                                                                      MD5:ACFCB0A7B3FD1002A8FCD0FD5D65F734
                                                                                                      SHA1:8507B9A8EE31430F75678470F5FA06337A76A5E5
                                                                                                      SHA-256:98A4333A188E2E88F115C5F8DDADFBED3924900C1071E3226FA5B16E22FFBCB8
                                                                                                      SHA-512:29301D054651817479EDD71E80BA4FB2E3CA449A70D7720017DAA3CF6EA2B1390E56EF763C9C9A97D099A0464439923F48D99AB0EFE2FB8B3308BDFBA7708E9A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................[....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):27184
                                                                                                      Entropy (8bit):6.334413974319615
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Sn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCW4:SnvXYcIh6yFIFBYpc47HxN4
                                                                                                      MD5:0362AEF9DA024E41795F98D8B888E955
                                                                                                      SHA1:53FC9E81D01A7C97D57B9E9ED9A3872EF1E81F74
                                                                                                      SHA-256:FC5600A53DD80910B63651E9C5B3B0CA82AA5C53529F4AA0964D21BDC4C64F3A
                                                                                                      SHA-512:F65C8EAB66C5C088FB85F16914D18ACB0E2B9B201BD37C5D30B8B0FD2DE2D0AD48C74912C4293ABF611A6A64FD76B3B9B61502993C9EA680723B22A3ED88A612
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.95553243429679
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRv:R7N1r9KGI04CCARLv
                                                                                                      MD5:F25FC027F62B2075901A6677EF81DC17
                                                                                                      SHA1:A7DAC5819431ACFFF9E91BCE7C6371B2A00507C5
                                                                                                      SHA-256:39CA7203DE9D6D026F5F1E27F00A5CA28133C0494E6F2E3ED55DD2F4F0893238
                                                                                                      SHA-512:2E51930198A5DA863A4B718A3772E88532EAE7C0E2C432618B3306F40AB141B6E7435246FE578AB7CABBA4A6BFC674F690484A27793965A6FBEB542F66BFBB40
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......C.....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49152
                                                                                                      Entropy (8bit):0.9021195969931592
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:2u5C4OoNSN1eN+5NmOZDzWL8OO7QzyO+p:D5PsveM55tzy8OO7QzyO+p
                                                                                                      MD5:51577A49C89A08DF9A8A8CC830BFF8CA
                                                                                                      SHA1:63DA41C67FD0A07CC64D35B29FD875D9FD8559D2
                                                                                                      SHA-256:B3E7EB1318664A2A7BA36DADF386E6AC163FF72D2BCE6D810D71B165496CBD2E
                                                                                                      SHA-512:C2CB7EB873AA7A12F37F18078DDE0130F285A689EC3C83D1A2B6E5561D349FF0FC317A01BB367C2DAA0AD4DB580E776DF91151AD2F3BB2CD3213B148783CD6F3
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                      File Type:SQLite Rollback Journal
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12824
                                                                                                      Entropy (8bit):1.3828620377155405
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:7M/qcFu5C4OZUlFJNGdNGveXXQXN+5NG1Z4:7a/u5C4OoNSN1eN+5Nm4
                                                                                                      MD5:21696B871FFC0D18E035A5010ADE5161
                                                                                                      SHA1:A224436BE301C4879C1BE1CCCF32DAFC7F59FDC9
                                                                                                      SHA-256:B9A7BAA4339DF9F2CD471484E88ABBECFE60602F204C4500167E9729723112E9
                                                                                                      SHA-512:50A7B60DF3E512B81F18EA3FF1CA3F9414C82E5F7D6444480E6980E7168B537387399A4A788D31341A493899205E4296D569D05EE1E346640BCCB7826D53BAF3
                                                                                                      Malicious:false
                                                                                                      Preview:.... .c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):1799216
                                                                                                      Entropy (8bit):6.5204766374461345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:JuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYm:oHmUMohVWpu8ul0UkTgNCfyo3d
                                                                                                      MD5:D066C090D3416A1D082902E0A7EADD06
                                                                                                      SHA1:57B66D2450BC314003510657A6309F9921081EF5
                                                                                                      SHA-256:820867ABD8E1D48A769C6D8F8D8626CB2D9E492D71ABFB47F4BE7BEDEAB93C6E
                                                                                                      SHA-512:F0839808A716ABCF4BB392E4BB1B2D664D004FA519048C94FBA9623481DA87FE023DF94619A184E0F7F91DD02F63BB8FAC1013D09894F000661F438EE631C4C0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................P....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1475632
                                                                                                      Entropy (8bit):6.7918990024107115
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:BS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8q6:gdwXpQdNVNDQubXyi60jXTW98q6
                                                                                                      MD5:E0C12F374C3CEDEED79A92B5279F838B
                                                                                                      SHA1:0FC4F192B32E9FC6C9FF24B9CB3129CDD925C845
                                                                                                      SHA-256:44FCAED823205977E5C1F6654C66EB9F51351F10B572CE6E914F4866B6D7B433
                                                                                                      SHA-512:AF965E825DC88BDBE35B9E7FC4A3FE360E9DE7751EE074E899BBAEF00FAD5158BB9E7A023D5FB79F0562BA4A30648A15C6B4AF363239B82FFC0F72C12BFB1095
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@......................................_.....@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2899637
                                                                                                      Entropy (8bit):7.998716668580002
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:49152:CoZg4oOIjiPA+5uIH3EQVlhRBDhGBJhL3Ra1H1GzEE2q1qT7AJpvG/vlm3enDL:3ZPvM2A+oIH7lhnAgKV1qHCNGHVL
                                                                                                      MD5:19873920E6979231111E46DD7499F174
                                                                                                      SHA1:02141EDAB9CB1332950818E4F70ADF5AF4A8885B
                                                                                                      SHA-256:5E63ECA0E9B28EDF89B1243CBE91D0581EC54312F9CEFE24F2D503CDDE53BFFC
                                                                                                      SHA-512:76F7EF080D0FEFE0495AD97CC98E83DAEE63EBA76DE5440491DCAA388C8EBE3098BABFE6293BAE4C18BDAED981F2DA3D79C66258820C206E554DA882CB3917E4
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-.....1L.Y............6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....0r.......>......v.....PS{.}.....An..fm./7g.+b..>..G\..f.q..n.2.C.\"2;.b.q.j.Z..$.Bj:6...Q^.{.-1.n..hn........W.KkRK7.%.....jq..xY1X...W+..M...!..)..9.s$y1.../..T]...`....$7. ..%..Oe`=pr.=9..0..j.m.h.Dx..<.V;rAQ..8k..(......9.T..e.k..Q.......:S.a...u..U.....28...C?QW.3.T'...........qT1..;....^.w..u.T..7.Xe....4.)7....h...^).=4.^Z..T2.E~%.4...H...].kEc..O.OH.>c.r....4.Q[(+.:%../....n.h.#.~8cE.+b.j.B_....gQ......i....i.........4....Z.l..S..].....,..+.$<*.%..q&..SM.....M.;;..].F...JT...z..1..U..s.xC0s.GL..8.C...@.|.^_....U....9...V|W6.....O...N..r...../..$:...=....p.,.k0;.{...Dh..K....?Z'. .......-....aj . Cu..t..[.8~.@....]{........}.uj.[....E2S~..j.m...F...}.s.F...M.;...`...>...6!...H.,%...pg;.K#...$.].%?4../Du...jf.Z_..b.-Ok...wo......b{....;..T.d....2htU..........W-.zo.Zv.........m...&0..3...N.ZY:B...sI.~..C.2......./...&...a..9|.S}...\.vO+.me~.i."..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):29232
                                                                                                      Entropy (8bit):6.342923752111313
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:MpYIrBWGYPHEUePsnhkgGIW7W8feKWDpQNbo1JNyb8E9VF6IYinAM+oCMTW+:yTrBL3Ue0FSTuKbo1NEpYinAMxCcR
                                                                                                      MD5:C2C3FE6C498B463D94DAA3A28988E265
                                                                                                      SHA1:469BA50E5895BE09AD12732F71C5FE104DF945F3
                                                                                                      SHA-256:B6210743704B553FE69AECDBB0647853420F759FAA6EA7C66875D38656B774F5
                                                                                                      SHA-512:B00774DFE64BA90CC4216A0673A8E60CFF4FB5F46CDF142100DA8132956E8758369C185A747D0279B8AD2ABB8B69D6A10C5E2BCC3B65F5BD3077C025D32349AF
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*;............" ..0..@...........^... ...`....... ....................................`.................................9^..O....`...............J..0(...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................m^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1919
                                                                                                      Entropy (8bit):4.980638040615789
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:327h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:K4cw9n
                                                                                                      MD5:70934BFD2D7659E71CA6A5476C0EB675
                                                                                                      SHA1:9B1611D52D3B15A3EF0A5DB4FDBEF94BBD107379
                                                                                                      SHA-256:24FECC645D7EF3A69CF81AD72DFC95CDFC4BB313FCCF77864C9A47C69B5DD928
                                                                                                      SHA-512:0FA54C94D4A52A95F4A002062CB858222EA64D4FD8E8EF51725A440CCE9F64514DE12DFD60C41435B3B8DBA4AB80363984FD8E8350B5A9B0B75EB90044F14324
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):197680
                                                                                                      Entropy (8bit):5.747369761062569
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:Y0zLj1bBKlndsFAQ1DSA8MT2tlwgVrPd+iqiTj+C+5Vw:NPjOlaFAESAewkLUiqiTjrl
                                                                                                      MD5:C0C8815ACF3A7BD323512DFEA1B0ABF0
                                                                                                      SHA1:31C42681964BA6E24578105B30C3A3947641C669
                                                                                                      SHA-256:FB33C644CB11C8A0522E7ECEC9C529EABDC1080D68BD3C21A6EEB3F6FE2FC425
                                                                                                      SHA-512:47BEAA98DF6CF7403E9BCE455964B5C378D303B959B17253104344FC48E14A09AD5889B20D4AAC06C4C1C57F42F5B826E0B71C10F1825FBFFFEEB81D36D247FC
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ........@.. .......................@............`.....................................O.......4...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.........................................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1782
                                                                                                      Entropy (8bit):5.026919218581437
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3rrb7h+1/gYoSagFsg+w327RgdSg+CjdgDt:7rn44woR
                                                                                                      MD5:F0A8DACF41AED1B1084D1D5157DE3C8D
                                                                                                      SHA1:02D4EE2B81AF8E9626571EFDA122849B804CE29D
                                                                                                      SHA-256:09C69F2CCC14AD72805AB1360DB7D5AB486D99C5E55DC8B5F54695988811FF80
                                                                                                      SHA-512:A6F1E6BA01179DC9AFBFE04887C288142FEA9BD9A593E54977C7F050A0B0EEA96D26EBE3792038EAD56467AEBD325CF7904F3D2B4206B3FE40FB468437A6C4E0
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depe

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhU6n:Wtn
                                                                                                      MD5:9EB224135E992B09B71F35DA23490EDB
                                                                                                      SHA1:BA28FC16AE867AEADF9393E19827ABD3F6FED830
                                                                                                      SHA-256:50418B438425C5F8EACCF5FED9838ABA88ACE6E02CFE7A5F739C960C44E03D30
                                                                                                      SHA-512:DB6DFAF4D20AACA9AF2AEA90675F5CE56E6AEE5307682337B7ECCB3D4C3E54EBBF363C3082271A8C2E5EFF9B20CDD08C2B382ECA59789053AF7070B06EABF646
                                                                                                      Malicious:false
                                                                                                      Preview:version=19.4

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):99376
                                                                                                      Entropy (8bit):6.18884582497966
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:RlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hxi:RoESpOPptPkW5ihaOdQhfhBk
                                                                                                      MD5:C83B1F5268442EE112B7C5E3ED017976
                                                                                                      SHA1:37641A871CC7661EA4106C750B75168F469E08CE
                                                                                                      SHA-256:A1AD7CA55FAA12FD3F6066DBE283D1CFAE329168F8E6054060CE45DDB28F6F7D
                                                                                                      SHA-512:D763AF85DB80D1CC099ACAA5B36A0269C1F55F5890D6ACA47D6BF315847FF2C07AADCC89CC75DFC19793780963F99A5E1B398FBBA26392C71E9B8D3E0DDE1FE1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ...............................'....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):95280
                                                                                                      Entropy (8bit):5.996567781993223
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:Y4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsd:Y4auS7S5Ea6WMcpu88
                                                                                                      MD5:9551AEC9EC60C8E51BC17373A6EDF42F
                                                                                                      SHA1:0A130A64216EEF14D9D9EC493526497EB6DE8115
                                                                                                      SHA-256:C191D85B761AF9E439D98D74E8132755D2C585BB82D0D912BF653580DA63F4F9
                                                                                                      SHA-512:C08E5A51D9E81170C6C9D16752AD91F7F722206CD964A4FC1D970828042CADD97949636B8A283FE0DE5972A8EACCA3AA43D1BCDAB2167D09D3AFC8A2A912A614
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................I....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.655973367080629
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:+Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5fcbA:+Xh+tYmNyb8E9VF6IYinAM+oCaFfcs
                                                                                                      MD5:4F8732210B0E83C718F6A9D65EF6F7D4
                                                                                                      SHA1:B93A5E21E847E86CC2F8E0CB4075BE40D268C980
                                                                                                      SHA-256:9E174654BB26A7E4F584B02391093AE2DAEFC0700391FF1953A85681CA6B0D36
                                                                                                      SHA-512:2F54F1DA2ED92E894CCB7AB74AD65DB1C5BC6F3E435D7F6CB7488030EE156F11585733A7CD610BB82A421955F8310651A629FF983DC4248E0E0600311116D470
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):75312
                                                                                                      Entropy (8bit):6.2404926502583145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:9u2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYd:cF+qo7mDEwj4NXLGcfgruFcg7HxR/
                                                                                                      MD5:AFFA88B8F4AAF5C4DF70AE9970CCF151
                                                                                                      SHA1:C059B1773818C6CDFE832DF00C88935D622D202D
                                                                                                      SHA-256:6F7248580551DB8F0CF185EC410F31267938C9A258AE4DBF6B257C1E5A6C84A1
                                                                                                      SHA-512:8FB0E096890594B6D146EFA1CFC72D412B4877C72155C61A19240D1DE171E16023C53C16A25F9BD7092409F08533C641AE17BDC770A437B36C4EA00FF272EDAC
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51760
                                                                                                      Entropy (8bit):6.409108893671757
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:pQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCR:p9MYn1seLE8JFMLcyMH7Hx+
                                                                                                      MD5:A98104308B1333FD329742F6EF90CD46
                                                                                                      SHA1:D086C1B80D611EA3C086B6B7E55989FECEECE053
                                                                                                      SHA-256:B94C520983BE6749E504B4AF7BA32A7EBF62BAE1D2A545961089871B0021A190
                                                                                                      SHA-512:7009FCB089DC756D33121C0E9BD6519469989DF79776457E31F0C913B3885B91C62BC7BB5C5C526D8B3E100671C39636E159CA24A5C1EAE911D730B04741D1B3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ..............................1K....`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):145456
                                                                                                      Entropy (8bit):6.203831545567015
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:cRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIh5:w9XeDmzV2yzlhKLFU1lLVp1+2flYFss
                                                                                                      MD5:4DBE240649359167D2A3D1609B00B55F
                                                                                                      SHA1:07083C6B9A7BAC81EF6FF247969EA985B3C54EC7
                                                                                                      SHA-256:9B35B27D8ACFB6FA7F58586681C76FB65C57FC8589F3C87D502F84D788302E42
                                                                                                      SHA-512:DF43343EC70B90A80813CD47A7237A8054D7095F64757CBD579F91ED19B06931B93A13BE77140FD7C69B7620EAF88BB633CD38FE0112B1F95631101773ABB5C0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................J....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96304
                                                                                                      Entropy (8bit):5.633639288713223
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:+2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhL7HxxJ8:bQmyxL2L4D+YZL2X7SAaqywjhLN8
                                                                                                      MD5:BC1FA9EAFDB74D46CD404C564C3395F7
                                                                                                      SHA1:AA153976794C77F741AC9954A043532069800909
                                                                                                      SHA-256:ED4821858F406A49C18C4199B4CB1930D39647186939989A9D721C03BD976F1A
                                                                                                      SHA-512:03F2BF0A5F449706CBA9DA340574CED981C70297A02D7ACD4314E2F4AF07EA4D2D72545175E6104E39BAF6DBFD200A0646D025901E6D34E534DF92EB3997C004
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ...............................'....@.................................47..W....@..p............P..0(...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):308272
                                                                                                      Entropy (8bit):6.107431907158925
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:3Q8wCKFMjHq9bRwkpHNddKmTtYZo4smxTC3LnXNXa35/ZmvYN:3FKFMFySZIBHvYN
                                                                                                      MD5:99C05DBA4F5671C63D6EF255BE907817
                                                                                                      SHA1:4B911454F2AEA144478819E45EEBF6C596B5EF42
                                                                                                      SHA-256:00AEE5E4E7181891BF4C364CF349260AC230602E7DDB8F9A68D2529CD18C4748
                                                                                                      SHA-512:D2D9AB6BA2B6058922DDD094AB3E20027C4932B76C6C0E1B9288EAEF64E6A253DF6AB3EB3EEF714ED87087180AA3FE845E0F64B11EA0CF9DE4F77B7BC30B9671
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\Q..........." ..0.................. ........... ...............................`....`.....................................O.......................0(.............8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H..............................\.........................................{+...*..{,...*..{-...*..{....*..(/.....}+.....},.....}-......}....*....0..k........u......,_(0....{+....{+...o1...,G(2....{,....{,...o3...,/(4....{-....{-...o5...,.(6....{.....{....o7...*.*..0..b....... ...u )UU.Z(0....{+...o8...X )UU.Z(2....{,...o9...X )UU.Z(4....{-...o:...X )UU.Z(6....{....o;...X*...0...........r...p......%..{+....................-.q.............-.&.+.......o<....%..{,................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.838236316522756
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:/N9VWhX3WZNyb8E9VF6IYinAM+oCF5W40I2:1G8EpYinAMxCa/
                                                                                                      MD5:6DE9E32CF82BDFEF0961FB2D34652E0E
                                                                                                      SHA1:594F28EC0E264E8FDB9AD5F7DB0E39B09CA829E8
                                                                                                      SHA-256:D6062AAF76E078197C74E6568B1247DE0959DD3474F4AEAD6657C5AB0A818EF3
                                                                                                      SHA-512:2899A6452AE9FDDDECA907591B012FC1BDF8C65454E368FF2F08D586BE576EDB6D96D86D5B2642D6FDD14B2AB67EC54CF7372E85D88850BF8BC9358DE99CD271
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ...............................t....@.................................T(..O....@..0...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):331824
                                                                                                      Entropy (8bit):6.168781225160191
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:7BhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTd:7DMUWITZznu85k8Wdn8KmCjIFi3Vvh
                                                                                                      MD5:80E678BFDD93E7DFE9A707111313D825
                                                                                                      SHA1:16EB28DB750AF24E54335C85EB127B9CBA57FE4D
                                                                                                      SHA-256:1C1BA40B2891BA5CFB8D3F5638D4BA958691487CE0F439E976774DE03A81D7E8
                                                                                                      SHA-512:DA12462EF675095861616C1E106AA908537016357461049C8BAFEC8390AFD715D40D51710308281F20CB54101600BDAAB43DF8CBA81282487B9AFB2CC5E66B78
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......kZ....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):883760
                                                                                                      Entropy (8bit):6.071467644933958
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:J1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ9:J1n1p9LdRN39aQZUqk
                                                                                                      MD5:D6850025902001E49D91F1D1B1E4C4D0
                                                                                                      SHA1:A0DD75E918BFCA1B171CE63F3C3B484FB35ACD99
                                                                                                      SHA-256:7BC658E0A3DF8C016D4CBB3E28CBD64FF0D4FD9F6F681B32A32460ABD347F86B
                                                                                                      SHA-512:0FAC50A006FFD586E86821BBD7B17C602C1EBF9CDB8A0BFF88078836258D1E30364779B92F0A7F1F908E92D66B34EBE95422630F967FE28642798851580EB6C6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................2....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.96040287359365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:sBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUcO:sBA/ZTvQD0XY0AJBSjRlXP36RMGLO
                                                                                                      MD5:EC8D314B1652E46AFBAEBF3AB238CFBB
                                                                                                      SHA1:898A5BA8E6A1DDCAE0470AF5694FD5111AEFC2A3
                                                                                                      SHA-256:4A292A2ECF89A630AAD219C32C94540033B5C730B59CFC9304C351BAF48A7DF3
                                                                                                      SHA-512:5538C9BA7183CDD88F7C1CB10185DDC5C61B3EF84F4EC66E2C5D44753EB969BADAB370959F65A3B6E1B7396D2BAC08BD3D3E2B020AE36469EBD49B50D3CF0469
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......E.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):285744
                                                                                                      Entropy (8bit):6.184647880138468
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:kZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zq:kZU0BJwuOcrl1w7HX3HWv
                                                                                                      MD5:3BC563BD709528CD61D8F504A3CF8423
                                                                                                      SHA1:473AE87186633FC687D6D91645E9FE6481311671
                                                                                                      SHA-256:465C1AE509E2AF00389B645FBB75FEEE7365FC17624D2E9237E6861B8BB30AB1
                                                                                                      SHA-512:902ED07ABBBDEA26C48D8886F5754AD76D68D5177C80B92A326F87A193A7C9F541176E001C624EE284B8E8A2A664CE13321338DAC392D21847646FEF50766021
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ..............................E.....`..................................G..O....`..L............4..0(...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25648
                                                                                                      Entropy (8bit):6.5620339191415304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:MLAQk7qYbU6fX7pLk5LHAxOEaGdzBSINyb8E9VF6IYinAM+oCcS4jDf1:XRLOgbzBSgEpYinAMxCR4j5
                                                                                                      MD5:4B3BEAFA0EE0C0C857E5D3CAA0785C5F
                                                                                                      SHA1:EC697AB6E0956374F234A39EEA6F83EB04EEAE4A
                                                                                                      SHA-256:EB93BE98B146199BC0E097D1B0EE0B5E89DE7B3CB77845DD0EC0A404D79E3D01
                                                                                                      SHA-512:05498E50AC2B3724AC81C6F834EEB181F3B3706A8377BF6243CB747A344E7D3BE298754874DE4EB041869B4C8B2AA2CDFC8AC36F487644D4EF246BADD644D6E0
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..0(...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*...&...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2029
                                                                                                      Entropy (8bit):4.99666085039448
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3Ar+z7h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:wr+v4cw9n
                                                                                                      MD5:A8C16947BDB4CB8CF1CF491FDC02B223
                                                                                                      SHA1:5CBEC67AF9B62D270764E5D6C0964881ABD6FCBE
                                                                                                      SHA-256:0F53AF9459BFA13AB9F911AE5FDBFDEEB0A5AE48B209E117321984E409413F06
                                                                                                      SHA-512:791153552D64F1315C42F794D7C3BD9AA90F8C62D547197EB555A9DF6E08EAB1FD93921FC1FAF5015291FDB4A4173137A93FA7964E8003EF70EAD11DE10C2DE4
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </depende

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):210992
                                                                                                      Entropy (8bit):5.348412302895247
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:aXLNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z5D6T:ELNkrE4AOqcIzQijLw
                                                                                                      MD5:DE3BBFAA013445B332720DA559F61FA8
                                                                                                      SHA1:7D21AAF19FBF49E758B06DD28C204E2E7B632D1E
                                                                                                      SHA-256:E0064D508B6F9A79D27E5404D414DDC090A52D5AD41016556CAFA973D89CE244
                                                                                                      SHA-512:75581D822D98E1777E052E7EFD8B2C3AFAB7BBAD9B6A0ABDB017818B6349604FF1D24878048EABE571F09211C68EE0F87FA73F3BDB801A8017D4C2DD45E5E9D2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............;... ...@....@.. .......................`......9.....`..................................;..O....@..@...............0(...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):19427
                                                                                                      Entropy (8bit):4.994540973244801
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:hrg4wdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrdOPUDCTHffIz
                                                                                                      MD5:04178686B6E5E58B69F7DFF5C6FD225F
                                                                                                      SHA1:20E38E9E8B6EB9F182729E51710979250910798F
                                                                                                      SHA-256:F260BB0DFFA0C3969D7DCBE480F4502DD8C1696FAA7B9019247EC91C6B9778FF
                                                                                                      SHA-512:18375EA01D4B3F2CFFE413472B7E736CCEF0024A403C920A17D4E0F1A69F06347B80358AFFF4314EC6A5B9A02E50E850F94585CBF379843C07FE15883FBB2D50
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKey

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):284208
                                                                                                      Entropy (8bit):6.1174239058820445
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:1ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHf:Xgo0WPVTXg/
                                                                                                      MD5:5C41C8E809BE33643D9D3BAF40868770
                                                                                                      SHA1:525C3E3D7C48A61DBD254B6526EF701F394709D2
                                                                                                      SHA-256:5DA0EF8D49FB803A8CBE8CC8B9EEF48F32C01ADF737F679751239B6BF193652C
                                                                                                      SHA-512:B30D697398D352D8D924F6E94B1FE1519B36AF9A6B8CC022513C56855F680FEA74908D2F6BFD86160CB17848799527599105216F19A3AD3293A614CD3FBDCFD3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................!....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.810303906948599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ry8+xcexWQFW5QKNyby2sE9jBF6IYiYF8pA5K+oCGUHF1/Juf6IGhF:uDNxWQFWHNyb8E9VF6IYinAM+oC5+Ri
                                                                                                      MD5:B43FD617ADE2F12D5A5DA4BC8E2EC788
                                                                                                      SHA1:87837187C60145E7306FFCFAD18AD7667C1C597B
                                                                                                      SHA-256:090E8BC5811082D668E7834D0A69956195E16E02E4A91BF72B98FBF46C01F44C
                                                                                                      SHA-512:7A9D149AD75D799D71A4D1F8E6E16E3541B3DB4D862D4479745666FB81D376DF6751F30BD7FFE29ED930909F609CFFE389049AC3F6C67A1B8A0D589161489A2C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...............................z....@..................................(..O....@..................0(...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22064
                                                                                                      Entropy (8bit):6.67173183600974
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:LlrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAsHI:LlrMcXP6gEpYinAMxCXI
                                                                                                      MD5:4F4631540C1A187A87328A3C26A33455
                                                                                                      SHA1:EC4184E92628A5975BBFBC5C883A246BD07FF46C
                                                                                                      SHA-256:9253E6DF69B66F357DC59023B858A1119153BD1761F8F83CBF375AB5040EDC55
                                                                                                      SHA-512:D16092954EB7B7F0B73013E85AE36D01B0A4CCD178BC804E0C0BEE34F18D85B95AB741BD57BB78792B4C77BB3664E86E785383F4886F3CDFAB2B291C2E4972BB
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.90727570833683
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Im2igOWnW8rWVNyb8E9VF6IYinAM+oCPT89clQR4:Yt0EpYinAMxCw9G9
                                                                                                      MD5:04AF1E5528EE2FE8D0E2C9240661DA0F
                                                                                                      SHA1:435875171507B9ED43A0CE168FED149BB8533483
                                                                                                      SHA-256:5D913C43020A9F32ADE24F174250AD6E674B7E5E1D2D194E9A608CBD70748595
                                                                                                      SHA-512:D83DDBBF4C3BD9AD399C988234BD22BC0502135786DE94C09FDA2AF96F6C199DBCB049135111E172C75DC1B6A86A0FE9AEBE805AE0AB1595D5F8C7F99D8DC690
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................,....@.................................t)..O....@..D...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.900100834273744
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:xnapn1iwwPWcGWvTNyb8E9VF6IYinAM+oCagmKtFWT:YDu3PEpYinAMxC0qQ
                                                                                                      MD5:561BD5749A37BE8B5456B477DD2A9ABE
                                                                                                      SHA1:C5A08810D97A4AA7968F63F11140B471BD8186D0
                                                                                                      SHA-256:AB42500F2E9840B11FDFCC593087164263A9925D649012C360E129AA1FB44249
                                                                                                      SHA-512:60E6236E860C01D912F46F7D72A0667AEA20622C4BBD133E8A5827A23E40D4402DA0EC4D1C499DA69737B62F2789A840FAF7ADD2859A366312D003AEC762478F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.909092148900759
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:0HLaEav5aaUa6arWVLWwNyb8E9VF6IYinAM+oCg3KR0m:pPv5t/NOZEpYinAMxC8y0m
                                                                                                      MD5:B27DC693D37DE1FEE4C400B0B9311038
                                                                                                      SHA1:FABC7D3D07D253DD6DD8E9956547AF9A98614231
                                                                                                      SHA-256:A6AFE6EEADFE54E0A578734FF2F3169935C3D00D426B26A3DA851B7F5AB411ED
                                                                                                      SHA-512:2872AB1291F19B95BE680DC3449ABF1494E7CBE3E24EB15D15C5F3D11F720EB6B5E2DC2088A8EF59B8C4446E188648B344E11A59FD80BA2AAEE7EA4E6B54351C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................]....@..................................)..O....@..P...............0(...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.760910226841751
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:y6iIJq56dOuWSKeWRNyb8E9VF6IYinAM+oCHDRxQFj4p:kiA1EpYinAMxC9my
                                                                                                      MD5:03BAFE2B0D9C25FC8389BE1D2823A249
                                                                                                      SHA1:5DF8A0DF95DF2903431EB43A39547348B2CB8296
                                                                                                      SHA-256:4849FFE52696C4D702AF03AFAFBD98611CE4A772C0003E674FED6E9BA8E71B27
                                                                                                      SHA-512:6B1D6933B443431C6C59B415C0D2D2E04AFFE7398DF9957E016EA105DEDCDB4D1ADA74AA1CB5817B568D2843CB642FEE287CF3DA2C6C43DB1EE6CD89565F6561
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................o....@..................................*..O....@..................0(...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.8160199063054066
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:anzz+MpSaLWW0+W1Nyb8E9VF6IYinAM+oC1JGQ:8puxEpYinAMxC7L
                                                                                                      MD5:99288A77139306B255ECCEE6E04FF5E9
                                                                                                      SHA1:0100D47BD44135FF86A8A5CEA2E10480BC7CB638
                                                                                                      SHA-256:30E35ADEB88183F7295D966CAA6677760945C874FDB60DB7351634D70D703093
                                                                                                      SHA-512:FA633652D1106618EB8DA1F3336E5E599D83F66535ED2D004EE221580FA1CD8C6DBA31C752F4377491FF858C975BCAAECF7CC6D7F73A6A7FA2A98FF582A656DE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................h....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.862739539471698
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:EGhr+YUfyHxsW/HWZNyb8E9VF6IYinAM+oCVUtE:zkmoEpYinAMxCH
                                                                                                      MD5:4B1F70EB3EF0800B380DA8EBB2455838
                                                                                                      SHA1:DBDEC83C56F182B28BBEA493042CA7A476E250FB
                                                                                                      SHA-256:095C883C0CC8B4DE5CE315FCA97DFF863830B7FAB09FF68ACC0936607A6FBD52
                                                                                                      SHA-512:04AA63D67B5CB58079ED51F0AC2C7CA0A9F306FA8EC306D817220A2C1D794B26E74D1CD24A2F9A2B52628DA338F3E5203E64A688BBF163C88EF4BD108B9F7925
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................2.....@.................................<+..O....@..`...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16944
                                                                                                      Entropy (8bit):6.792287006749931
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:IRE+ruiA5vzWeNWkNyb8E9VF6IYinAM+oC4XjFOGm:IS9bXEpYinAMxCYIGm
                                                                                                      MD5:025AD1826825E19E60449091675EBFEE
                                                                                                      SHA1:44D15D48991D974E209014DA108B9BC5BF0D96A1
                                                                                                      SHA-256:CEF0F0DDF6B6C2295C0D70D48ACAC3F9CD956C40A1B814CC573CD7840E5093AC
                                                                                                      SHA-512:15F78E9FD8A6E86B030FFCDEADCE9D50B01E46BEE83ABAC40F4AA880A490606361A346517A5D34897B83758388C888E93C4EE7F621F13F34B59440BA3F7BE70B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...............................Z....@................................../..O....@..p...............0(...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.8527441270087515
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:4T+6ywnVvW0LWoNyb8E9VF6IYinAM+oCczSBu:499tEpYinAMxCLu
                                                                                                      MD5:0F1F604FC675C153112AAFA7B3CD35F5
                                                                                                      SHA1:26D84373B4E998F26E80DB7292BA3AFA3F2F4D03
                                                                                                      SHA-256:FFDA559466831113D81540B0CC06F959D8771777BC7A9DF50167D8B3390A3900
                                                                                                      SHA-512:B3BDF3792CE2D7E1CFD051192D521BDB8CCE99C07EB6A90951DBD8E410FE05A16FE123A40F3E0C6F63D2BD9E3E31B8633FC86D355F9E3448CADF8B2FB553BC4D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................e.....@..................................(..O....@..................0(...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.8485217436146
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:YRbzriaXT+WlEWENyb8E9VF6IYinAM+oCri+trE:O7icWEpYinAMxCu8o
                                                                                                      MD5:7699FF017862D54F706B757522EE436D
                                                                                                      SHA1:56415E9BFD5D530AFD751B7DCA35DB2FC7BC4FB2
                                                                                                      SHA-256:9DCB4C285EDB926A2E8F808EC6550D9589C17EA77A2AEAD4239F2B0F14B1E32E
                                                                                                      SHA-512:18674E269C9BEC0472EB7075310730C4E2239AE27DF237F79C73AD5E3019F10372963B689438F5A177881E3883D5B04B6261BD0742324F79E33362B57DA41CB8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................0....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):148528
                                                                                                      Entropy (8bit):5.4178270851166594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6HOdYYWg+GImdMEGK61wb5nx03LBblQ6Ndk66byYSI4Zki+BReD4pK/uYxtl+97b:NdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+9/
                                                                                                      MD5:E0FDFE274C85F41A36708549F567DC66
                                                                                                      SHA1:AEB7C489BCF2644B22B84F9914F4A6B89A9920D5
                                                                                                      SHA-256:5085A0CD0657F3ECB227B9F87AC760A34D445B211FE39F72B822218E4974A739
                                                                                                      SHA-512:C44C5D0BCEE4DB63A6B4C73B9D663073DAB59F8AA9697DACEA5F46A0BF311862DCDD7544014BA64E4E967995EE3796BA1C340CB7FF5764112858BDDB0062FE91
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................5....@..................................,..O....@..................0(...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.812160470049198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:NzNnzx7FWjYW5sHNyby2sE9jBF6IYiYF8pA5K+oCGUHF8oymiaaJDRY:hRtRWjYW2Nyb8E9VF6IYinAM+oCItW
                                                                                                      MD5:B0F3F032F7825DDE1F13E482B4CAF38E
                                                                                                      SHA1:6CF6E45C2982FCE84F6817FD0CCDEA147BB207D5
                                                                                                      SHA-256:78502357C3FED85000D348121D62BA9B5927C14661FC68D7E37E58B5A466B702
                                                                                                      SHA-512:2C248BD3D4E19CAE045DC8D6B5ECFE46C96A46AEC10BBC9DCE57EB31CC631E544D912C2E41744E64632F96784527161E4954C24687469026821C976D3733F3A9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................3.....@.................................x*..O....@..@...............0(...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.894107837143539
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ReWnoWXNyb8E9VF6IYinAM+oCG1+MShLbGq:RntEpYinAMxC1Mvq
                                                                                                      MD5:6AA890B1CA29BA41BAAB4A86744292EE
                                                                                                      SHA1:6E28910CF5A08784CA5D76CCF855721B94918A44
                                                                                                      SHA-256:5FC6CA69B09B584BC118CABCB04128AE83371F1D19D53B5F1821ECDF2D2C859F
                                                                                                      SHA-512:4BA4CC53D223E6D1C289070E4191393448F698A78E37402AD09203651A6B66D145B56C82EE8F0E82EC9FCF99E02A7BEDB4840A572D472D2518DA08E0E05CFAA2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................!m....@.................................X)..O....@..$...............0(...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52784
                                                                                                      Entropy (8bit):6.247628824459115
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:pC5mb2//6hDjsgXj55UJ6DwrKts7EK5m2yFVBg6WZZjbUpUhDIEpYinAMxCMy5:pCYb2/CRv5M6jtUZjQUh17Hxb4
                                                                                                      MD5:C001B77796CB926BD9DEC6DF5A7D9445
                                                                                                      SHA1:123CB4FB6E2CCB0CD05C738497BFE132E5928C21
                                                                                                      SHA-256:E9B7F862256ADF23BEDECFA8607540E3AFE5FB9D0AC23925E8FAFAA0DC8661D3
                                                                                                      SHA-512:77643527B6E5C35A47DDBD8F5667121A9432A87E7DE21280B669228FE398DEBA79524A6B77EFD3EAB0A4F5B3C451E25FA3685E3F14E509E741C1FD30339BFD8E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................h...O.......................0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........I...l..............0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.853814679304912
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ZxGxIZWJjW55NNyby2sE9jBF6IYiYF8pA5K+oCGUHFykqG6:Z6oWJjWZNyb8E9VF6IYinAM+oCukf6
                                                                                                      MD5:2D1E64C6363F520A4B09EE67CA44BBE0
                                                                                                      SHA1:A1D1CABF2DC5A03B193A435ADD236438C3FD5E0A
                                                                                                      SHA-256:32F80F2FD7EC40AB166D32F9718C6F52F024A4C16A410B95D26CB83B2A3457CF
                                                                                                      SHA-512:AC2662EF95C75FCD79525A0219B598EAFE0EED22E3FD6CAC1C024F37E095F0668DBE529020CEA1383EE7AAAD32C5C4349544EABE23199B9AAF70BE053C20DA59
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.775913255662062
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:zqk53/hW3fZ+zW3Nyb8E9VF6IYinAM+oCjF9:zqk53MXEpYinAMxCP
                                                                                                      MD5:05A320B376EE93BE8E3E26A2CA823B10
                                                                                                      SHA1:4F02AA8E1741C094813C08F66B17D61263D437A9
                                                                                                      SHA-256:422876979DC3BDE89C3AEC38D43C48A3DFA80D9446748E55EC26AAAA195744B6
                                                                                                      SHA-512:177F6628AF9F0808B8E7A4F8C7D12F5AE45A829DACD10E531A27FD5C150FD3FAAB5729112AD75B8E8BE5DB71C6D1A0A4559BF522D5A90DA1749CD5A25735013A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...............................Q....@..................................)..O....@..0...............0(...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.661314849678409
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:WFCc4Y4OJWfOWqWWOWyNyb8E9VF6IYinAM+oCwOS/D:2CcyCCEpYinAMxCOD
                                                                                                      MD5:244105479AAE00122795AB55C02D27C5
                                                                                                      SHA1:4D02969813A1EF3816DA8EDE3740E3A448380D43
                                                                                                      SHA-256:9F81EDA0A759D7681C42DB5FA8967CEC5350761E14E6FBB998709C1D3FAC3BC1
                                                                                                      SHA-512:74F5EF78035495A409BD02A7F97F54B71E5E5929F937981B02FA5E1147B2F493B32339B62456ABD0D3751FA7C955B168EE849EBB099DAE7E9CE84A8C3CAE307F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@..................0(...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.8760364981132405
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:rlTx93aWxMW5VwNyby2sE9jBF6IYiYF8pA5K+oCGUHFwPtrnPi6:PAWxMWANyb8E9VF6IYinAM+oCMPtrPj
                                                                                                      MD5:76011DDB6222C1DDF8DB8DAD81822DE2
                                                                                                      SHA1:98E59A56051E878AA59574CB18312E3C4DFC814E
                                                                                                      SHA-256:B6B4BA9E826F30B91768844A9C6B76F6CC5A3342CAC2BF86B0E94AD5EADD4840
                                                                                                      SHA-512:C4C07155FA550C878ED73C9C101787093F73110F6B1C7C90FDE931DC453BD6EE4E63211E764FC39ECA2F0B07DAB437CCB6097BBEA4D2E6975A5BD759DADA183A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................>....@..................................(..O....@..................0(...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.855299035225063
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:sYqArxbYWHaW5uiNyby2sE9jBF6IYiYF8pA5K+oCGUHF2zfxGLNDPIh7:6AlcWHaWBNyb8E9VF6IYinAM+oCyoxa7
                                                                                                      MD5:6763462D500565BB723D6AE7DD376177
                                                                                                      SHA1:5BA25C0C7F2E66FBC00CF752EACC0F0757ED69F7
                                                                                                      SHA-256:E77307BFEF76BEBDEAC6916FC6051CDB8C7CD5347660A0A2FD216C0021A4FFF3
                                                                                                      SHA-512:34EA0E54D86A6E5C588C164D5A13854F9C133DCB5E59E1D5123F3E041EA1300DC327ADAD16AED58D3F455AF6CEF5CC04D8C6C65791D2B501FED17752A731B990
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................I.....@..................................(..O....@.. ...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.778616544811202
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:lGIZnWlNWmNyb8E9VF6IYinAM+oCpcstTLAF:cUyxEpYinAMxCPYF
                                                                                                      MD5:B2385B0E04770B808F5F51B4F267DE63
                                                                                                      SHA1:DBCCFFC5F25E153512F4607827A1DCB0672DB7B7
                                                                                                      SHA-256:7377730E697EEA5E6FD7A9E91B4967E7669D9CE6EA9B0C9DEAA3A219C1381BE0
                                                                                                      SHA-512:60D576EA65C7FCE3D3F65DB2EC3D8CD14C833723AC5C56D1F299608E63AE520A0AE8A099EE48D883377C333E31797FAC108584C98ED6E577CAA8929D58E92BAD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................oR....@..................................)..O....@..P...............0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25648
                                                                                                      Entropy (8bit):6.495901336244438
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:UlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdW8Nyb8E9VF6Iq:SQq33333333kX+TBi8rEpYinAMxC/L
                                                                                                      MD5:5F4C0B3A7F2FB0DB1B1B20969BEF7168
                                                                                                      SHA1:CD470977A3442AABCCB143FA078839C5078D6AB6
                                                                                                      SHA-256:A5DAD8CC289C2E342FD57F2153BC1B704CDDDD42C508BBD737765348B7636A3E
                                                                                                      SHA-512:EE8938258AD481225DBD44B9A56A62FF19C762B200A23720630629553EC386B1D0F999C73F6D949969353A66994E860EDFCA94A18154F32354B98F400DDAB925
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ...............................%....@..................................L..O....`..x............<..0(..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.852030061615908
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:l28YFlXulWY/WnNyb8E9VF6IYinAM+oCKD9B9:l0q6EpYinAMxC2
                                                                                                      MD5:40EC51C679114A8554D35F8EAAAE33E9
                                                                                                      SHA1:F550B24B07809FD1BCF258A84958FE56630A89CF
                                                                                                      SHA-256:1D1044444D0DE0F9D48675C6FF61936287518356DAD7CD2616C0EF0F04E20AEA
                                                                                                      SHA-512:235A3BA54BBE957166B69E436FD0F57F52250E53512839D0A7D072F4058B246F6E8EED5E09DCB2DCD48F8CC13AE1DCE4EF2602B7BCC4AA70BF1B9D41E227E9E2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.729765410025899
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:yuMLcdQ5MW9MWBNyb8E9VF6IYinAM+oC3a6sQ:fOcSpLEpYinAMxCkQ
                                                                                                      MD5:098AA5F5859D20B7719F6CCB4AB5FA3E
                                                                                                      SHA1:5BC4ABBF4605C74475690DA70379086462408B42
                                                                                                      SHA-256:E01AED7DF04EA4C2F66294E2C38D19FD2559AD2CD91AB30175FA574971027B85
                                                                                                      SHA-512:6654A2EF0D54C94BCDCD45412997DD0CE2DBE0EE7675DF47AC7D10DD9A61A0DBF3A00A7E96E468FA0996BC51E2CDBBEFF45EC9FA75101E918FC14F6F274BE030
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.817127728987462
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:FZ7RqXWDRqlRqj0RqFWVNyb8E9VF6IYinAM+oCVaX/:D9qKqjqjuqOEpYinAMxCk
                                                                                                      MD5:9C9C0184972082224CD5D3F2AF6E0E77
                                                                                                      SHA1:D0D7C46D04D6DC7264E5C6BE53CA34DDBCD4FE58
                                                                                                      SHA-256:B2C0A24B2757D61DBEA647EDBE2D9FCC142846EF146D1654258C7D45914D5CD6
                                                                                                      SHA-512:E1CB8A9BA85ACD7CB8C10E2A922CEB49D2FA0E01EA0FFEBB742B5571FD8BF857BE8FD702D891C3C75676CB4B861091FA7EF8D095D23B3CAFBB828B286F1FCD0C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ....................................@.................................X*..O....@..P...............0(...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20016
                                                                                                      Entropy (8bit):6.62945691310315
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ANBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WSNyb8E9VF6IYinAM+oC3V1rD:AvMhF2SzNzwu/NljuREpYinAMxCj
                                                                                                      MD5:EA13EEE1E8B3A2E19CF2AB5BDE0C93B8
                                                                                                      SHA1:8FE61EA0D50065AFC142C7CB594F5D324991E639
                                                                                                      SHA-256:18E32A5B970F01BE86360A233CD484F3FF3C4D2CAF175CCDF6AB0079961419A4
                                                                                                      SHA-512:7E0880BB0CC2964EA473CA0302270605714F36E43A9FF60A9C68396C9B8240DE861010005521490F3C19A7D35B0334792E3DCF6F2775F42A0CA27682358C8DF2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ...............................V....@.................................a6..O....@...............&..0(...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.901409880946083
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ubZ4RLWdRfRJ0RZWuNyb8E9VF6IYinAM+oClyR1Fk:ubZK0pJu5EpYinAMxCo6
                                                                                                      MD5:7EDB4DA2D07025A04DD098A07923BBBC
                                                                                                      SHA1:C6D556324D9DEE8FE9D8DE68841634425924789F
                                                                                                      SHA-256:042C0F918096612422011D42D0A3E22757B57457E8677973BDD4E5694C0226D9
                                                                                                      SHA-512:0D47E6CDD8DDE2FF5F0FC26745A434995DAD39D1D6BB5766D93B0635CA6DFD786B9680054B48AC6C5ABC3AF79C55E2C16DD2CFB1D621BAF1145277D8B8A60BFC
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................0(...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.798639249065837
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:0Fx+WTIEfW50ANyby2sE9jBF6IYiYF8pA5K+oCGUHFz9ZITneu:UYWsmW5Nyb8E9VF6IYinAM+oC39mrt
                                                                                                      MD5:DF12986E7A5DFF2263354737C9436809
                                                                                                      SHA1:A1B4880508F135C4BF5FAEBF479424CBEC8FF342
                                                                                                      SHA-256:BBC06214E5835B90D0054EAAD5F80FD40BF43CE4A29E99AFFD12AED7E567A938
                                                                                                      SHA-512:F6EAB6C15A452D1F6092435A3369359F5471609DA1098F26EEC6BF8968C8865009EA03DF5AD886275D90D5D242D68F15F1C0ACFCB66015A735E9247CC5779E01
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ..............................au....@..................................'..O....@..@...............0(...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):105008
                                                                                                      Entropy (8bit):6.382307221380866
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:kvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXW7Hxcb:kgk1tiLMYiDFvxqrWDWNoJXWKb
                                                                                                      MD5:81A43DF8AD73BEE719B131DEF479F5CB
                                                                                                      SHA1:8ECB4E33C8E2AC7D30BA37B1D4B12331E8DD9F9C
                                                                                                      SHA-256:5282224AC49FD93AA4E5731F8D23D36A0BE8830E1240CE803A94131B30F269DA
                                                                                                      SHA-512:B426CF15D47974CF2AF37AC322C6DC956ACC647BA67641908D20BCDD0AB443C50239AD0A563D998DBB6A5AA5684AAB2AE7A5772922EF81B0FFFEC5970EB3E223
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................WV....@.................................5W..O....................r..0(...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.8542726522556805
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:AKcuz1W1cWMNyb8E9VF6IYinAM+oCLnrDoqi:Qu86EpYinAMxCbs
                                                                                                      MD5:0E639C40291252B6B94BD56C8C2E4A2D
                                                                                                      SHA1:30A19A37E9972AC4D10E578E314AC286F9126045
                                                                                                      SHA-256:C4B9D13CFC96C03B2A1078B76155CF8C93D27858EFAC6321028C307FA43760B1
                                                                                                      SHA-512:819B1AAD6958F96D4A0FCD4B48228B8D4A4FE24432FF706DE69C93E96AF1D03814E8F0A3065B3B228A77DBB874995454A271237F87D94279CB896C2645424A7F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................&....@..................................(..O....@..P...............0(...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.864879066460218
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:LpXYpxjSSWikW5I0Nyby2sE9jBF6IYiYF8pA5K+oCGUHFUd79eOJaZWK:Y+SWikWBNyb8E9VF6IYinAM+oCAd5QUK
                                                                                                      MD5:D81808C4239C950E30821393BE815794
                                                                                                      SHA1:84DA8F3786D0E8CA360848716E61CAEB059941A2
                                                                                                      SHA-256:42B58E52682733FA8F505B784EBC3CA7C7E8C529AD6025AA324984E47FE0BCF2
                                                                                                      SHA-512:F0D869406437F20B35FB536319BCA29C3DFB914342AD2497D931EDB7B742424C19AD92A3FB985AF14172CDD7BD36BA6B690642A17578479A8AD0DD80F2E781E9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.906247186393836
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:QDxxhREWzgW5mGNyby2sE9jBF6IYiYF8pA5K+oCGUHF76amamyTds:kAWzgWlNyb8E9VF6IYinAM+oCXE4O
                                                                                                      MD5:1E5980ABA0E632BDAFAB1AE983BC45D6
                                                                                                      SHA1:E6C5185B87C8665D9035C85EE43076A522F48035
                                                                                                      SHA-256:8D58C4BF0AE55D775F42779631467A370A335EB88BE978F0225D7DB220CEAB6F
                                                                                                      SHA-512:2E6D6DBC48CB7F54E34BA964AC9E8BF23D4D70FE0DE2B1698B3BB70581B80E9CFFAC956C9508C890C7450AEC639DACE1FDB7BEB31DB0B96885D8904DE9DF9B85
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................=....@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.863001513688545
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:7BLRWbYWAjNyb8E9VF6IYinAM+oC7c/T/b:7B26/EpYinAMxCYLT
                                                                                                      MD5:9A3283DE5A97F5B005A4A9EBC5CC8462
                                                                                                      SHA1:23F8985BF7970358804441DC8FA7B4FA3108F735
                                                                                                      SHA-256:12066B4AF070977FDAFBAE7DA3EF6BD23E2A4D72FCF4F2811B7D1F86FC4548C5
                                                                                                      SHA-512:25A177E266B8A83CC959BD154DDE33452FBB09A9F754C571195E281C536AB0244C47C35C019E4DE47989A0EB56433A630198B905919C06F71462A681F36C115E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.8559103413814135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:0ZxcMRW4/W5x9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFyF5FwNi:QHW4/WRNyb8E9VF6IYinAM+oC+mNi
                                                                                                      MD5:61267F80038F9F92D25E8A4AA6699D71
                                                                                                      SHA1:6657E4B501CF6DA418FA48D2FF355FB5F841DE43
                                                                                                      SHA-256:2669F22BCDF69F2AE9111B0FC4E0672E227A751F67F0E4302E25B656C40D4E2C
                                                                                                      SHA-512:4DDF947DAF9B46DA0385D07C72754C386905DF18A267B8E699AF5EB4C6F4C84481539EAB182D80B42F9823D766D5BBBB2AB441FE13EB588345ABDE0F82E324C4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................5.....@..................................(..O....@.. ...............0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.9120881175384286
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:2YvkRxpHWmCW5O7Nyby2sE9jBF6IYiYF8pA5K+oCGUHF69Sz:vvk7hWmCW0Nyb8E9VF6IYinAM+oCuEz
                                                                                                      MD5:4314D483552C965E658C7C58929A8D6D
                                                                                                      SHA1:DBB6F9A41B8DE539BF082B26CF9367346FB32B3D
                                                                                                      SHA-256:3A464BD5D7D29694A52A84EBD32D57F6225DCF08F392993B041EF37AB17171D5
                                                                                                      SHA-512:AA1DF698A6923F83A057E48FCA8E811A2F1C0DDE698C6C40480187F0651C9F2BD384BF6090F95149F3D2BDAE9FAED36EE1B1EAEB23BF909FD10F8B5A40B997F0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............0(...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.875758648591913
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:CUiW2xf+C/WCUW52DNyby2sE9jBF6IYiYF8pA5K+oCGUHFLZioEt:gGMWCUW4Nyb8E9VF6IYinAM+oCRwt
                                                                                                      MD5:E3B700A74640FC81B9CEA927D121C2A5
                                                                                                      SHA1:9B8C917E4D7C673AB043BFA615A077D8FB49AD44
                                                                                                      SHA-256:C11438FBBD7136B75F58B2EE21DA25827B814257A5489AF3957901B37BE876C7
                                                                                                      SHA-512:8E7B9AFD381EA16975E8C92596805523BCDAB80CE64B71EFB87C91C402D9C017DE543E074EE2517B1866E6783D972651A8E328C66CD60C3C69C93B74B6DF3167
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................'....@.................................@)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.857054298846541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:/BhwI7WSQWLNyb8E9VF6IYinAM+oCCtgMW9i:/DwIBlEpYinAMxCvw
                                                                                                      MD5:4214C8ACC40CE0164D9EEA22687CE0EF
                                                                                                      SHA1:1F156837CCDE47CDB77BD919C6C781FC775E02CF
                                                                                                      SHA-256:8AA7AA16F30C28D46C97925EC3A967B6350BAF257EC49C3DC031F535D884397C
                                                                                                      SHA-512:B59A35FA0A41AE721E1F143317934A5A3E380245993A1A370AB31CEAE3150AC223A5A53B4AA43247A632DE13BBD91513E2A1E89D5FD44C20CE757D96C25E79C9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................o^....@.................................l(..O....@..P...............0(...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.870890431174606
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:kNc/vlxK6FW4lW5TYNyby2sE9jBF6IYiYF8pA5K+oCGUHFLKKPfewkKCi:SyvPRW4lWaNyb8E9VF6IYinAM+oCnKeP
                                                                                                      MD5:39546D501824B31001C237F69672EDFB
                                                                                                      SHA1:B7A4EE51B65F2A52C2B0A1557FAC4A6B86571544
                                                                                                      SHA-256:D86E70FB7EDB31E59242E5ECEC1617F83928025B243158E17E100F5EE06734F2
                                                                                                      SHA-512:56F776BAB2BBEC01B43AADED0414085A52A4687F6E78393CC556F75D3C13726A3D71FAAA4D29D28645BF97D14CF9D773972D413D2553C8666BE260714E275779
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................0(...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.824226980431581
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Cnhp+J2sx/5W6eW5L2Nyby2sE9jBF6IYiYF8pA5K+oCGUHF9IAvnnBArO:k6RW6eWoNyb8E9VF6IYinAM+oCiAvnv
                                                                                                      MD5:7662073D5C9F5DA86E7BB16AC01EC465
                                                                                                      SHA1:5908E08B51C311BF941FD3E8D7494A43EF556707
                                                                                                      SHA-256:E110DFDD5440CF6A8945309477298DEE2D12F6B52E9E80213E817E04E457BDC9
                                                                                                      SHA-512:608CA6B3FE7EB302E044ECE43C83A41F437820CF743CC5E4D8A3C02209E9B607C699B02D7F67D8C47C77DFF453C26138FF2F26A2E52E83662DA34279DDC04F20
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................0(...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.857337169237656
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:3SPuxFp9W70W5pjNyby2sE9jBF6IYiYF8pA5K+oCGUHFqR3O0iG:3SUP9W70WTNyb8E9VF6IYinAM+oCu1Bd
                                                                                                      MD5:C7475AA5C816671F648950C8B3D80A50
                                                                                                      SHA1:5C016A103034944586FC1E427D413BF7ACD32934
                                                                                                      SHA-256:DAF45389137134A78C7918837084C67EC020BA4D4B6326A9C0167A892B0BC6BF
                                                                                                      SHA-512:53E0A144440F15949D5881E3234E248099D518CDE6424CEF9A71351DD141A0329A012FC3BA36E361C61A8AFED28B5FF7B8D65A161681D3CFC4294E2401588D79
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.850913897976473
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:838yg07W0/WFNyb8E9VF6IYinAM+oC/orPM:ABH0EpYinAMxCAQ
                                                                                                      MD5:06188251B3A1A875394711909E08FB58
                                                                                                      SHA1:AC3BB0E100B209F13EBD3D1F4541DBBA86380C82
                                                                                                      SHA-256:63E55277CA37F86089AAA1EF548A829EF3C79F7903ED90CD2A87A5A36CA05560
                                                                                                      SHA-512:C13D22C64CB6EE3E9B6128876B2C5A008E5C0A8FD70E4BBBBFEAF6A8B2D9361A428673F44AA5BB3FF3A255EFA0AD4362B234AF9CB128D6FF6C9EEF18C88777E6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.816246694368643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:queAxQJ4WmRW58/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFOq9gyBs:we1WmRWaNyb8E9VF6IYinAM+oCaKgb
                                                                                                      MD5:E6ABCF274EEE36629C345B9AEDF26554
                                                                                                      SHA1:187B7F5B3166740895FADF9D213389366B57430C
                                                                                                      SHA-256:3ACF086B5F0CA5198B97501853AA4BC9C39EC48B420157C55CF166B73E8F0F36
                                                                                                      SHA-512:E8C740F7695798102E37EBB1419A8E7CA9601B37930F2E446B4AF01277B8D28D732CFE9824FC3911EEF43C08D6E3732C8C7F3E03A1D04798B1607DDC2FC07120
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................$v....@.................................p(..O....@..................0(...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):142384
                                                                                                      Entropy (8bit):6.161479044620922
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:SUGrszKKLBFa9DvrJGeesIf3afNs2AldfIQh:lBFd3/aFs2k
                                                                                                      MD5:A43365B5967E6019BC635070BFC1E909
                                                                                                      SHA1:F7C0912954D447DB22A06AE3E322C1AF718B41C4
                                                                                                      SHA-256:EE2DE8A438625A5FAEE72A26BBFDB9005473B7FCBFDF5B0D114FFB113FC4E884
                                                                                                      SHA-512:4C22C5BFB7828BE10074B4D52CB44B2BDE25F9007E01CC918FD538B6EDE72577FF0E54E93D33A5FFEC25FD84D00512E99E7D1FF8249E92FBF7A38F263BD4151D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......<V....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):192560
                                                                                                      Entropy (8bit):6.115523408722963
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:xeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgUS:UW60VcTvakcXcApOG
                                                                                                      MD5:8DC9C3A2D3770FBCCDD2D25266CF69D8
                                                                                                      SHA1:07C4CBFC3F406B65FCD917B178B497B2F787409F
                                                                                                      SHA-256:A1C0B1830533EDFD5A02E16D5C20227CACA3FFA8485216142F056D761B95A05A
                                                                                                      SHA-512:865CAA63FC175E74EE7572886C37DF90AB2EFCBF76536A5B9B188E4AD3C7BD6C714B6713202F3C716CBBF830D28E8C54A6D17FA1A634267EBF3C0121F10E41D8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......]....@.....................................O.......h...............0(........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.840129577582069
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:oCZsxgyrWYLW5lSNyby2sE9jBF6IYiYF8pA5K+oCGUHF5LxLCiLv/Z5:os6ZWYLWyNyb8E9VF6IYinAM+oCNNLPT
                                                                                                      MD5:21B5CB012909AE25847697B060BA8B50
                                                                                                      SHA1:08182D897B6176818C15CD68858D7EDCDBD5151E
                                                                                                      SHA-256:60CA68678C435561216B95DE986225D0EACC7957822781DC709E142A23E96AEB
                                                                                                      SHA-512:AE94EC4E5D6B339526045FF29DF7099D8E59587D1CCC53434A0C775A9D5055EF5402335F302ABA71DBE97BC88F7A49B2F8798944413A98DF38EE0B60C95A2C7D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.791178572741935
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:jk14xPxHWMQW5YGNyby2sE9jBF6IYiYF8pA5K+oCGUHFKHdLonB:w1W1WMQWrNyb8E9VF6IYinAM+oCuHCB
                                                                                                      MD5:03B4C9F4BCC57182994AC8F1FB30D357
                                                                                                      SHA1:E2154538A6F7304438DFC2B86D05998EBEDF83AC
                                                                                                      SHA-256:632E7F3C2E848A6176BF159EAC25E8025471DF3AF565749991DDC0A72BD08F58
                                                                                                      SHA-512:125C8D889B7569CDBC2A5E10B483984E08C66461DA9FE9DD8A26DC6401913720B448E44049ABBD2D0C4B4825C3D2480A13D5CB70942F3DA037C6A155071D2520
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................]5....@..................................,..O....@..@...............0(...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.834812088864677
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:FQ/rx72WSKW5xjNyby2sE9jBF6IYiYF8pA5K+oCGUHFA/kq+rop:2dSWSKWvNyb8E9VF6IYinAM+oCsF+sp
                                                                                                      MD5:B94C0D55F9DEEBCE0AE518A7C1FF7FC9
                                                                                                      SHA1:CB0D9783B75CEF6F6646456D1BD1FED6CFFBA6E0
                                                                                                      SHA-256:826FB58946DB883EA027C648AF51456B2DAC02D82C0640F6A3D47F75F60F7E91
                                                                                                      SHA-512:71CF72886EA82807C41C33A4BE8F4E3EF96AAA8FE0416BD679DDDDE5FF9B299FC04105BE35886598C37EBDF17D8FCE77B8C12726191CF5CC7BE2A6F42BDD228D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................r]....@..................................(..O....@..................0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.749123657530473
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:iJEYA2WkIWhNyb8E9VF6IYinAM+oC1IZ328LQ:iyYA8vEpYinAMxC+ZQ
                                                                                                      MD5:A26A7355A0F869DD740F8302E696FF25
                                                                                                      SHA1:B1FD9DC4A90A4143774525C4554957176402106B
                                                                                                      SHA-256:518C1803C8DB6875BF335151F892E34DA725B121B7F7617CB1866956486592AC
                                                                                                      SHA-512:D9F0856A2F0EE39B8001EDC2AB478718A48C974571FCAA38D6021EE72D5820239D703E37C293CAE508284BD209AC35DCE58EAC9A141C9B4FB023A70EEE95B160
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................3.....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.878256468311067
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:EJGWe4WENyb8E9VF6IYinAM+oC5OXOvIJ:cm6EpYinAMxC/vIJ
                                                                                                      MD5:B13D87B4279183343430165A63DF5D61
                                                                                                      SHA1:A8425A12B934F581E4B2590F8726A00FA59CFC9F
                                                                                                      SHA-256:9783A508C583ABB0F379ED9EA780E83AB2E506FBF8C2F74341DB5D61E40A2CB9
                                                                                                      SHA-512:112CA58BA27B7530A6BFD95C722A966F597F67988157E337E6AB365832EA1206C15150CC572AFB3FE70ECBD42CC2186BEB2B6291ACDD1411B5B60522DB134AED
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.784153781952316
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:FdW1w3WesWvNyb8E9VF6IYinAM+oCV4Ram0p:S1wx1EpYinAMxC+Um0p
                                                                                                      MD5:A647351FCDFDA523270411A05330F65F
                                                                                                      SHA1:31AEA0A4BD322D38BBCED174377C69C26E1C1420
                                                                                                      SHA-256:C828BC2A65A5DEE3CE49F2FC01EEAED02011CE4C4BABDDB2E187AA2C1793193D
                                                                                                      SHA-512:097C3627DA0FB41FA3129250B7EEAB35053F0C26B222903194F4BFBCE36D8BF7A32AC0338E72234010538D07512D93C557E98A6F00A76F5F3126B6BC4C31C94D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ..............................,.....@.................................,*..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24624
                                                                                                      Entropy (8bit):6.594209857362746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:fylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWmNyb8E9VF62:fyp12Bhkg3qnV/sEEpYinAMxCRvA5
                                                                                                      MD5:B801570396E51A09A5A839F68470EBF3
                                                                                                      SHA1:3AA0C793291D8C6CEE4F558474FBA64180D2A635
                                                                                                      SHA-256:550DA51098EF5C3AD5F6827FB682C098D2A55B513F39FA89F23546F7BBCA0CCA
                                                                                                      SHA-512:C168A6538763A574349FE5D4BF8B6BE42CA4B353C11401D16AA5BC50B718F3C414D7214F3115B2767FB175BEB2C187491D0C0358414C2D5C3802FC0821F2AD15
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ...............................s....@.................................gI..O....`...............8..0(...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.857045567772236
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:hSHlx2PW1bW5akNyby2sE9jBF6IYiYF8pA5K+oCGUHFl5tvFj:kHPAW1bWPNyb8E9VF6IYinAM+oCJ5jj
                                                                                                      MD5:755763AC761829B708C4F6AC1E4DD56D
                                                                                                      SHA1:95891B7A944C0CEE2BAA670108A9338A8D7BBE0D
                                                                                                      SHA-256:9F2D4608E3FA4AE04E6EDA3B06C4176AA30B9A12E9978528095BE4A3C8215E4D
                                                                                                      SHA-512:04BC832878274BCC98CCB18F269EEA96105C3B243EBB882B62A0DEA079F0D073CE83335E517DA35B7E6F6A4CDEA13DBB459E6F942B33821A686D5D79E619364C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................4....@..................................(..O....@..P...............0(...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.855690111371631
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:o+TxwFqWD7W5d/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFCet6Kg:jNoqWD7WXNyb8E9VF6IYinAM+oCegg
                                                                                                      MD5:FBCBC20D98A796E892CE421A726CEA4A
                                                                                                      SHA1:C9D25AA5AF24F4983DBC027FAD7B89573C0158DD
                                                                                                      SHA-256:5370C7DB181CD65698E34893D3C234738CD4FE6A844D153311A6A2AE26532A48
                                                                                                      SHA-512:9C76F247A66693E846D0F83CD32F0952083AA8144AC904162756073F9AF103A87DBC4A0F1E0A3EF328A8237D307C1A6B41B05BB7A29D3014F9936C51F3057C5D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................(....@.................................|(..O....@..@...............0(...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.863088883661345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:dGETSAWUEWvNyb8E9VF6IYinAM+oC6t0Jx:hT1tEpYinAMxCv
                                                                                                      MD5:C9029E037F4B3871CC6A91E1B6C1EC26
                                                                                                      SHA1:0141BFA8130F9E66BD96134E3481DBA578607581
                                                                                                      SHA-256:8AEEF456BC4D080E528422A7C84999E2A37B55C7FC1D54946BFCF66A5A563602
                                                                                                      SHA-512:09CE23955A754BAC1C8BC00B293A3FBC6A18882213F2B2C60DCFB6BC20AAB29F66DDA39CDA86076EF9823B01995F672E95D97CDF19D2B43E8E625169E83935E2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................U.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):110128
                                                                                                      Entropy (8bit):5.512428319727748
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:VPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hxd:VWw0SUUKBM8aOUiiGw7qa9tK/ir
                                                                                                      MD5:EE7E03D81617BEEAC4146802F335ACE0
                                                                                                      SHA1:5FE83B56166303C06BD972AAC90568E35A54DCE6
                                                                                                      SHA-256:E873AD02839D122803CD13560BF9800D284075062E6B672209095823CD9F101F
                                                                                                      SHA-512:37748D3FB882AEA2CEA60F92D12DC4E85C9929E18DE677CC6389FCAC05BF337051CDAA7C770DD6573273329C1F9DE6BF523967A7E851C5C1BFBE38584F794B0E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................G.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.8513999869142745
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:BcDagtDApWSKJWVNyb8E9VF6IYinAM+oC4Ls1hK:BPKBCEpYinAMxCNzK
                                                                                                      MD5:82FF772662364A0C496745BC1B4C1F26
                                                                                                      SHA1:D6C63BE1D816520E1276AD3A058D17BC67E5AEC6
                                                                                                      SHA-256:FE0A154AFBED15F964515DD613BDFF6927AAD440A5F5CD698580E8EA548875E9
                                                                                                      SHA-512:62DF45A06C008E0FEE7D5C40130C04548A69EFC501A1EBF6E06C040967DC5A75BBFCB11F2A5F417740ECCC5AE9BE84560C263D080D7BBC5881967FCD8DDBB80E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ...............................c....@.................................0+..O....@..................0(...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.859839841612763
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:b6NxhqWD4W52ANyby2sE9jBF6IYiYF8pA5K+oCGUHFAybofaz8MC:6IWD4W3Nyb8E9VF6IYinAM+oCM0Tz8MC
                                                                                                      MD5:F3AFFB9C15521C0072C36F033650A77F
                                                                                                      SHA1:CD6167209EE2BE9DB10BBAB5B6FDEE5DEC9ED8AC
                                                                                                      SHA-256:21D64B5811FAAF215AD863A9F1B164240F235806D51751A6CC0684FEC1AF54C5
                                                                                                      SHA-512:656899E1F92DE6B3141B7FF59B695AE3EC047B7EAA0549F79AC9FE6C0E70C8F8CD4A52E2FBC0DEC85B61598A9241FB6DA32F17A08064C21FCDF1E3747CB24D7E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............0(...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.787615206970784
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:oW2KxVSWzQW5g3Nyby2sE9jBF6IYiYF8pA5K+oCGUHFh/JZlpi2Tr:HMWzQWONyb8E9VF6IYinAM+oCN/Jc23
                                                                                                      MD5:74CD47CCF9A23509EB1925949117C7D0
                                                                                                      SHA1:BB4CB6FDAA42DA65C8BD6CA583F981F5B1A30EC2
                                                                                                      SHA-256:565175621EC7C5E2DC1E4FC10EA7A191D4AEE273AAD9488D27155BCA8D9326B4
                                                                                                      SHA-512:E53CE1150EF7E0DE8514CAAC5745D8A9A7F529D2E3A5DF770F6A52D6A8FB1782A88A400A15A48AAEE2197AE7CB9E57A4C59CECE7FBB1A1D684F2809A1FE81CB4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ....................................@..................................)..O....@..@...............0(...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.724837659990903
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:pxDHKWAMWeNyb8E9VF6IYinAM+oClPK4N:/D8wEpYinAMxCVB
                                                                                                      MD5:2A13C29EFFE6FFF14E834DCCCE11363F
                                                                                                      SHA1:CEE6B6D5A120B3D9F8B3AD23631D030589297A2E
                                                                                                      SHA-256:263E679510015DC47E8144298801B83A2EB2B54683E8CB77945F7CE7CFB8AF6F
                                                                                                      SHA-512:757FF7D240E3E2A056F55BA9FC0CB75C6592796F5375C90BA000DD929347AAD5A9817C1F4048C2E716E3171118F2117134245A6ECF2727DA5544580237AF57A1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................D....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.832344368002849
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:hLNBEW6pWpNyb8E9VF6IYinAM+oCdT1qehj:hbMmEpYinAMxCpl
                                                                                                      MD5:00DFB3D21000CE6AB0F0943E4A899A1B
                                                                                                      SHA1:ECF0E793679AE3C510F9DBCCC10F8837A084072E
                                                                                                      SHA-256:AC56ABBA06CC073A1C99DCFDC7511CEE96C69C5E2074DC40832A3B728DBA35C6
                                                                                                      SHA-512:92240772F48D6B823920EEB4979746D44C8C8F443D979C1154F68BF4E6E107C97145BFC872B6B2863581E34BFBD9FBE1B30251471ADBA08CF8C2C7C12E4F12C9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................[.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.886146240522453
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:+KkHKW/tW7Nyb8E9VF6IYinAM+oCkNKuT/Oeuy:DuMEpYinAMxCWlbN
                                                                                                      MD5:D8069A40382EEBF69DC58E4C4C4C9C55
                                                                                                      SHA1:B61573C5F26F0E8B1CDF4ED2BF8914664A0CBD34
                                                                                                      SHA-256:F9A492EA7AF7A8A965F64BF08113412EFF8B063569D60078ADD7D786B266149F
                                                                                                      SHA-512:AAD64D250A97FCB30D79E7A9D700D716D73386F0E976A19530CB896E662C2F0492737EF96C7B878E3A27F6F195DE109805DA4A4063DA52C4ADAF5B1030837EF7
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................5.....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.834800241318689
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:YLnfIWqrW2Nyb8E9VF6IYinAM+oC7Dq1bDlh:YDf47EpYinAMxCgbhh
                                                                                                      MD5:D5A14374A84846521F535F655B08E291
                                                                                                      SHA1:B6ED9DB545D383FFC649B129CC976D8C3ED3D62C
                                                                                                      SHA-256:EE04FBA35F24880E5611FE71954EC563423CB7661DBE85332B39B708227845E1
                                                                                                      SHA-512:C555680A58BC989285ECCFB8E60F3FC414FE9FE343A4D0390C7FFECF1D5211AEB262D76BA711BF7A2981E457B2F6929281E543FC5EA569BD76672673D1DFD0AB
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................Q.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.674121027050591
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:gh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAv:gy9eEpYinAMxCAq
                                                                                                      MD5:CD0597748B58BAA0987F04AAC12C49E6
                                                                                                      SHA1:C22646FBAA464576A9308490E9A485128DA6E233
                                                                                                      SHA-256:8461BE14B848A3ED24377316ECF0BC8F3D94589D26480D9E32B6E3722732CD6E
                                                                                                      SHA-512:A93DE89A5790D8F0ECCF3C260F23C3B5E1022244A88EC59DB9D847CE307AE5AEAFE15FE0A287E590CC9E8175042B224B4FD78A79568489E6F7FF70209976DFE8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................V....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.813554018350934
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Ena8WK1WTNyb8E9VF6IYinAM+oCY4YN50:Ena0oEpYinAMxCy0
                                                                                                      MD5:AE46262D6F3C39E7567471D863ABB7E1
                                                                                                      SHA1:1DF6ABB19DCE6E55138BB1E435BC64B20F106339
                                                                                                      SHA-256:0407F8AE6999185D868F49FDECF2131D217481B28A98F8E21B7877B2608C1000
                                                                                                      SHA-512:ADA27E97F729E084AFC1A3881A298671F003A2EB33EC73A6EF02BBDA95524C487088E4E87256AB2A1AFBC879D1B3CA478EB07495E160F0123D2DFFA9EB0A3FFE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@..................0(...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.765789192823512
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:RBSWITWjNyb8E9VF6IYinAM+oC3mR6WAAW3a:R6eEpYinAMxCWRgta
                                                                                                      MD5:D8684391AF95221BBDEDF477167ED935
                                                                                                      SHA1:FEE1AD3F56D32E015B7CAECF62EC28BBD0333669
                                                                                                      SHA-256:9033BEE210A22A36E3F9E4B47609CEB9EE5E483DC3DD0AF3530CC08E6E5F5D5C
                                                                                                      SHA-512:068656DEBD78517E611CF8A7C8A95675BB173AD4AD826C5EFE84374DAC76220FB53317910772D44901C59B75C932CCBCEC4862917422C6CF9CC973A7BEA87C99
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ...............................Z....@..................................)..O....@.. ...............0(...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.875547004279443
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:X88cIIWNoWINyb8E9VF6IYinAM+oCJ4e2:X9cUeEpYinAMxCx2
                                                                                                      MD5:89494EBDBC4C195C6A95C124511F0E09
                                                                                                      SHA1:49B916DDBC7D7C0C56AD7AC08140B843A7D62B02
                                                                                                      SHA-256:34AFAA99089102614DECA07742DF61F913CEEF3FB71D85214D52D299064BF9D5
                                                                                                      SHA-512:7139BB20ED7836486C70D63C0C451F26BEBC12105132CF0D1AE1F7BD5F348D91A70A500A926A376F185AFFC1DE9215CBFA564B4584528A08F20950C0A149AFEA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ....................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22576
                                                                                                      Entropy (8bit):6.62055244452865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:1kUwx9rm5go1fWKmmW4oqN5dWjaWxNyb8E9VF6IYinAM+oCowX/USZ:0rmoFmWXX5EpYinAMxCbXZ
                                                                                                      MD5:48AC77B707465BC012574E05547547F7
                                                                                                      SHA1:354F6C91655574659EED716E14604435C9394D51
                                                                                                      SHA-256:EAA69830D08C05D58B7EE216D1C5D1C19F69597A59D897252F3455081FAD5578
                                                                                                      SHA-512:00030A58AB3837169DB67BE53999D7C2F6A6FA64A334A51A01F526D4D873E2B0F5A60C4C47712FB266C6752E1212EAE35E56A80104944262882E041198C21864
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..0(...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):18480
                                                                                                      Entropy (8bit):6.673862225741473
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:B09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsz:YOAghbsDCyVnVc3p/i2fBVlAO/BRU+pB
                                                                                                      MD5:0E6D75B6158418F0A95E6CB412CC0353
                                                                                                      SHA1:EA67A1CA24B6824F3198CE1BC5AA58A00B12E11B
                                                                                                      SHA-256:DE6EE529839FAD27C8024EC8B895266165430776548B78D6EFF578CE7789EE89
                                                                                                      SHA-512:93FD7D4485009ABD8245FF347DC2FD8739488B66E54769DF5875EF3B37B5A6B1AB99ABBED462F2D0A826F4B2D3D8D16D382991488FA6B91A5CE2EDB21021CB32
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ..0(...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.831572533599495
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cHYx4AW6RW524Nyby2sE9jBF6IYiYF8pA5K+oCGUHFt7kRCdU:l7W6RWLNyb8E9VF6IYinAM+oCZ7TU
                                                                                                      MD5:FB71DB3448ADA905D419397DD27B42B3
                                                                                                      SHA1:CD9D9F8B34AEBC429AD85E960259E61FE6EC9B55
                                                                                                      SHA-256:263EBC2FF99DC60B5CD58B450B1A517BF24BC3A064E9396ADE4D1181A0B000BA
                                                                                                      SHA-512:FC39FC219EA027E358F16C6903E0C4886D939F9F3D3C540AF2781AE72F3AC7056F5DA9F0C399AE312C40D822932A27109605EB8EDAB64851CF8045AC83FA188D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................T(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.924286323235784
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:jI5HeWFwTBsW9Nyb8E9VF6IYinAM+oCuK9C:jI5HFwTB3EpYinAMxCl4
                                                                                                      MD5:100170C1B006D4151D70BFAB2F606618
                                                                                                      SHA1:C8B5516053BB65659F1DFA873A2221ACA360E565
                                                                                                      SHA-256:B238E2ED9BE9B87579163A466CAC425DF02BA853E321E05FF9E3DE3AF6FB6933
                                                                                                      SHA-512:33B105273E35BF8E9AA542C62AF930B3BD907F964D54C24143D872C51FFD2DCCCECF3D3053B85F775E50147BA9B554220C1F764A6B1A85DB1069447BBF5B0630
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................P....@.................................|)..O....@..................0(...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.894774524663774
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:gAJpVWbfkBnWdNyb8E9VF6IYinAM+oCnZMt:gAJpWfkBEEpYinAMxCQ
                                                                                                      MD5:2C16F35F49CA130BE20A66BE212A533E
                                                                                                      SHA1:91974A82002EB4D573CC2464AEF22CD0E90A4254
                                                                                                      SHA-256:B7447B113A9EFD9D0347C3F758E3B07865C703B00218283D1A3DC77D0A270D3C
                                                                                                      SHA-512:D410689278E308D73ADD384F50E9DD0BE10268EC9C09D73268467649BE48BF4E51B8FD00A288A3729D34D6817B10A18012889855B8BCFED6FCF232EBF02A49DB
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................N.....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):21040
                                                                                                      Entropy (8bit):6.5401063533970465
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:H8R71h7yzt94dHWFgQBVWeHWFyTBVWMNyb8E9VF6IYinAM+oCRNkQ:y1dyAqgQBfqyTBjEpYinAMxCd
                                                                                                      MD5:86C2CF8250170A56EA417E1BF13672F2
                                                                                                      SHA1:DA672A37C886FEC030EF542AB9132C2ADBDDC224
                                                                                                      SHA-256:033A22044A5922C19DC170DD18F9271BDDDC0C767ECD4184C8CBCA252B82BC33
                                                                                                      SHA-512:AFB4AAAC45C6126948FB28084610C26DD08DEA153EC15A5A1F5A52F2A68F44AA579ABDAB8E935D6E5B27E58685FED2A58BB439C30AE2EF78CE2CD2D8670BBDA8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ...............................q....@..................................8..O....@..8............*..0(...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):18992
                                                                                                      Entropy (8bit):6.680985479092326
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:IpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWUNyb8E9VF6IYinAM+oCZ8od3Q:qsPMQMI8COYyi4oBNw4tBEEpYinAMxCe
                                                                                                      MD5:89EACA9913DE5A262131748A8FBA413E
                                                                                                      SHA1:711C34F847E09B820D857ABD3D1A3FF054B10978
                                                                                                      SHA-256:7C35E1A3F017DA51957052CC39E02C28CBA1F36F6E46B35529FE8CDDABE1C9CB
                                                                                                      SHA-512:CF337FC86DFAE20266B47F276E38BB2434C1C8A674C4F37D29BE5473A341F97C86C01368161318DEF155CE46DE5C4C5750F90B228D62866FAA61F4A413FC3FB8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ...................................@..................................3..O....@..............."..0(...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):23600
                                                                                                      Entropy (8bit):6.319697338021789
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:xbhigwLAuZtM66g/Id7WVXWwNyb8E9VF6IYinAM+oCdTuuO0:xbhzkKs1EpYinAMxC9O0
                                                                                                      MD5:6E381132DE152A3475E305709D23D4AA
                                                                                                      SHA1:A44AE3A6050A6771B6A6A7EEE0CC03B033B2758A
                                                                                                      SHA-256:A4AE7B340B49695889BA3893D49F26B645E3B198B21DAAC7BADDC22C9CDE4D6A
                                                                                                      SHA-512:62804A7FE51D980D9D4329CBC620B52CA247254C63D280E58D891AF62C74B2C4527A8C01F12DEE0C0D7BB92B44F23CF2F2BF0EEAB19A79A307DD36EA2049E31B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................q.....@..................................G..O....`...............4..0(...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.86777742071565
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:QUcX6W9aWmNyb8E9VF6IYinAM+oC7y5BZ:QUchSEpYinAMxCY
                                                                                                      MD5:B6F47697E2167ECA90DCC729460FAD0D
                                                                                                      SHA1:0B093E1D3F362686E7670F5D5E97AE39D1A688C2
                                                                                                      SHA-256:EE59B35346BB964F045938C42F36B31152FFE0448FB7C0F47A8D4B8F3F00223E
                                                                                                      SHA-512:CC251146A799A924FACD7763AEC15422518A1B311F1151A8388D45AC88B20916B2AF476E1B56E7563A0CDD6AB0D32FAF980A56A64988C0AA79F87A6B33FB6F02
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ..............................W.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41008
                                                                                                      Entropy (8bit):5.952082983895029
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:eoBj7kS+8mjvHTeaWKs0Sd4eerEpYinAMxC6:lPmb9WKs0PeeE7Hxp
                                                                                                      MD5:C918A56C8019B355893017E80AA011B4
                                                                                                      SHA1:6FB6750CC0B061EBD8FE514761C9435A640EB3BF
                                                                                                      SHA-256:084EED4F8A3DB18429152AC69707170EE9699473197B268FD50286A62F11AC41
                                                                                                      SHA-512:0211A760A2A37A6925C46D243653C0229C9F30C7AD0CE25B2D8ACFCB6254409E7A883DE37AB3BAD78B188BBD4A4B03724834ED8FD3F230C730D86DA5044A832B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................o/....@.................................u...O.......8............x..0(........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.893731616710799
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:vTI2pWPzWKNyb8E9VF6IYinAM+oCWxypjhJ:vE3bEpYinAMxCppP
                                                                                                      MD5:F65144928C3B53C7947BB102E1288E6D
                                                                                                      SHA1:E7EAC99B2314CCA19696CA438E44CCDAF9013737
                                                                                                      SHA-256:BA06A4E711707C8644BABAB2D36414EBF44BE0ED43E2C0EBA6970AB8B42FCF86
                                                                                                      SHA-512:CA41E3E9AA31A45995A9E4C315ED6FC6D4195242C5476407224894FAD4BEC056116D5FEC1BC1492B4E0096A7B6969CE02D711192A46518AB0AAEC12F46623F38
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............0(...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.912028776126427
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ucezoy4W04WFNyb8E9VF6IYinAM+oCm/N9fw:uBzoy+DEpYinAMxCm9fw
                                                                                                      MD5:2A34E7463FF6CBFEEDE44DA8F342B92E
                                                                                                      SHA1:26F6D4E4D597F8861A706F4C7EE8D140A46C7BD1
                                                                                                      SHA-256:3F8E7F6F16EE6782CA2F7E95BDEA4948748A7C1C6D97DD8879543AD775247533
                                                                                                      SHA-512:D39E991937ED94F77FEAF88667374FEE4E0CB9FA7223D0ABF55898B451E343E8AF28175BCFD70C93E52C501E61918915E1D583C7E565A3ADA955E6EB7917AA34
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.795128333926592
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:c/gHWexY+WKpW5ryNyby2sE9jBF6IYiYF8pA5K+oCGUHFjekeXY67Z:lH/JWKpWwNyb8E9VF6IYinAM+oCXI7
                                                                                                      MD5:507447719CCA867D2537FE48B9EABCBD
                                                                                                      SHA1:6F819B9EEE30EFF3229C22D1FD2D8E05217F678F
                                                                                                      SHA-256:E17A634ED5046725D17C458C88AE68E182AD084376AE0A513B2EC435DB22E0D9
                                                                                                      SHA-512:BB6177865C0FC675CD1DDA9BC4CA2C426DDD4BCA987D36A1EB98E063DF6D6DE334723063FAA2AF77A5022D55719C74F5A7264F100B11B2482E75E78400A2FD9D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................D....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16944
                                                                                                      Entropy (8bit):6.743765550669376
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:rTjbocNsWMhWbNyb8E9VF6IYinAM+oCtLwE:DboYy8EpYinAMxCtR
                                                                                                      MD5:46646113A8671C616E570AE130191375
                                                                                                      SHA1:34EB3F3285121040C65F124828FB22C57FD45F4F
                                                                                                      SHA-256:F42B0174884859EEC6DA1E8B30141E19F600AE4553D039924AC0DAD4E1841CA8
                                                                                                      SHA-512:855CE45C8115555D0BE7F945CCB77D7D8CE05DE1472F4B0D4CAD8535B92550E4D00901F10078DE81E10FDC0FDAF1D7E10B14F4489E671BA271F1C72D507C76A5
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................&....@..................................-..O....@..................0(...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.843952558952105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:xSKiWIhWCNyb8E9VF6IYinAM+oCLp8t2l:xSK8FEpYinAMxC9f
                                                                                                      MD5:81DFF20248F2B19ED960B2E53C49691A
                                                                                                      SHA1:6117702986558F2352E9068417EC6D5085835EBD
                                                                                                      SHA-256:10EBD20E59BE4977CA2E8E92FA14A2D115D73371B4612C09E2679B1EC026C9F1
                                                                                                      SHA-512:F9BCA3BF3560AC6EBD3E7A53AF29ED0389E71780D68DBC19503418A0C5E524C592FDFF95E7B8714DFC0C438CA5264BB31F66A57722EBD80D9C08AA0E1864A415
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................R.....@.................................t(..O....@.. ...............0(...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.791455106805695
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:i0KbZWApWmWTpWeNyb8E9VF6IYinAM+oCkp8t8AJ:FKRylEpYinAMxC3j
                                                                                                      MD5:C46F83097836817F35C876B17DAE8730
                                                                                                      SHA1:147BD9C6C2211559084EB1F1B1C9D6A99D6E6C06
                                                                                                      SHA-256:0584979D15B684039D5BA5AD34EFBC674792A213AFD2645DEAF5F23D02679E22
                                                                                                      SHA-512:BDF759C71B8154BA7370381DC4910352F76903E063BD6E112EF4454E2E5382AAC6818643928106600AF771CBB60ED6B919DA5C1341C0074A5D2063E119F823FA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...............................`....@.................................>)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.874748396830931
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:+b1nWCXWzNyb8E9VF6IYinAM+oCnY3lWx:A7SEpYinAMxC1
                                                                                                      MD5:7D700D3B38D8DAFD0810CD4876F9FD83
                                                                                                      SHA1:B4F61E58BFB4F3749DECC8B346B07177C9627CF1
                                                                                                      SHA-256:D2CC735515202BBA87EF740A93276C74E0FE2BD88BAC18EFC7D8DD74D76D381E
                                                                                                      SHA-512:594A2A91060036416ECCA8FA7C3F70AA46B2996A99836A36B84BABC7C8B4D99B5D844EE588A97A60EA1CD2AB96AC8A0B8F5D918917F09B5F2FEEE80B1A1C7570
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................O@....@..................................(..O....@..T...............0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.779188885791948
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cNc6cYxmPlW7TW5KhNyby2sE9jBF6IYiYF8pA5K+oCGUHFFr9I+Rtg:uTyW7TWWNyb8E9VF6IYinAM+oCRr9vg
                                                                                                      MD5:0A454F3BEDC63C21C6ABA90E35E80C06
                                                                                                      SHA1:A31F2F6C213CC5381576F4324FEF98CCBFCA4016
                                                                                                      SHA-256:8586A1D14998B33519E683C58EC2D2CD68B94DB7BC6D4D6EC290A36AC248E50F
                                                                                                      SHA-512:BBDD88FA84D631B88DF7F11AF7EE0BC08F3A0E2B2A850ACFBC0336A394354697A7AB54002839D29D1DF4BBC388C16F3031ECB165FD147346BA18634CC301E9E3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ..............................=s....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.909257187752604
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:f6Rb32WVzW+Nyb8E9VF6IYinAM+oC0Bz9:iRb3dfEpYinAMxCy
                                                                                                      MD5:DC8AF98B3AA43EC27CFBA21DC2292837
                                                                                                      SHA1:69CE0B481F2B49643CB946AD02A90812B0A7EA19
                                                                                                      SHA-256:EFA42933DF41DEA9FDBE6BE37912770D3E8C3869961460E9534D645A7677C40E
                                                                                                      SHA-512:9FC0DD720AC089202D638743A0F5A50388DE3162177320B56508BE69078073625CE626BF853FA0D87EAF76A4BEC4167235EBF9886FE5E3041643831D5E233613
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................g.....@.................................t)..O....@..P...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):31792
                                                                                                      Entropy (8bit):6.537621622428481
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:mu5I+sqOylryry8qqIfUc7a5FEpYinAMxC1xHR:mYIVBpry8qqIfUcm5e7Hxof
                                                                                                      MD5:F52348F4F20D6E7D869376E16E61F4B4
                                                                                                      SHA1:DC6D2D361FEC63C60D3B1FC94F1202407DB5BE90
                                                                                                      SHA-256:A3DF93074CED87596A7A0006347854135A1D223CC495D31B33554B013F5C58A5
                                                                                                      SHA-512:34A1AA5AE037924DBA14A4F885F6A440B7B7027C94ED63674B74199D012C65B9C9419598B696364254F7635B2411E29C1B7AFFA423D91CB0414E1BB5DE6D6CEA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..0(...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.875852056465243
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Kvn4HREpWiQWRNyb8E9VF6IYinAM+oCeWDgL8m:FSLEpYinAMxCZm
                                                                                                      MD5:F267535EE36B8534C17EC699A4794D23
                                                                                                      SHA1:9F1636C48D07EC6F6D41F502EC6C34D1CB366A73
                                                                                                      SHA-256:8F8FF68F8F9D9B0B5535F299ACD91760B12B04DD0F002A625CA37BC1CAF5F30C
                                                                                                      SHA-512:706281AB412C1683064C19CD710D38168090F3B203A361F5F7765DD7E4D6A7830E785506D852A1CE12CD28C195BBCF09075A9611F41F38170E31D34ADD029DF5
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..P...............0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.77448448889411
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Y8MjKb47T3UCcqFMkJ59WdtW0Nyb8E9VF6IYinAM+oCov66o:pMjKb4vcGdOfEpYinAMxC+o
                                                                                                      MD5:C2F1630FC88F44DF3AE9B49BC5B7749C
                                                                                                      SHA1:3325347B005570126D474FC6C87D670E82C14BC5
                                                                                                      SHA-256:7A3853809A234072CDABB87AD1DBFB8C6C49BDF55F2E29883F1A7860AD2B302E
                                                                                                      SHA-512:6A56651089A71E995BE977B734B970BA1BB3FCCB9E6D2646D6E7F05BDBF00C7EE635A2A9A4480A18A6DCD1669B7C1B58E15BB1E9315CBDFE0EF8C2BE0E73DF63
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...................................@.................................`,..O....@..................0(...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.856668488122503
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:vzyNXd4+BW6FW9Nyb8E9VF6IYinAM+oCDYhbhG:uzKEpYinAMxCc3G
                                                                                                      MD5:B679DCEC9760E87F0008D4F2F2330541
                                                                                                      SHA1:04990E4E550115CEDFCDC3CB6ECFC9C210EA0A65
                                                                                                      SHA-256:612852589918EBDE806FA392DF3C69B401976240BD3C2FD3CE9ECFC32C4CA783
                                                                                                      SHA-512:C5833E1E545D012B43F2C8349DFE70E16DC3E01486F0A11B7FADB93A26984017B704AAADBE743CF916F6FD0368977E98D5E761EF64456DEF51F717BE4270F7DC
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.8620326999031915
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:gvs2Q3HKJNrWWRWS6Nyb8E9VF6IYinAM+oCm8ZrH:guMmEpYinAMxCPpH
                                                                                                      MD5:A2E040D009F3E0B869B6466665F64E4B
                                                                                                      SHA1:CF5F9D94C7E0A604A0ED4221AED05CDF13265E83
                                                                                                      SHA-256:1FC703C161A30E623DD7AD1C9E6D5CE2DCB57B3A64ED258D3E100A718FCE9885
                                                                                                      SHA-512:7116E91C9605669F5746D34E38B637C621EE5B0F93528B5F1B14004416E3ABCC00B5E9B9C937970104D9AA4B3D043C37811ABD47C609D29CA30DE9E5689F11DF
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............0(...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.829858302949805
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:iFz0Q6gcqRhcsMWdMWtNyb8E9VF6IYinAM+oC9Jtac2Y:iFz1c6jEpYinAMxCLN2Y
                                                                                                      MD5:4D5C5C3571C6FC162E5F2386B4350933
                                                                                                      SHA1:1E8E9426533863991A81C886D294186275D639F8
                                                                                                      SHA-256:C2E38BC6156537A6177B199F99F074D6B1EC46F6DE82004B11CCF3F07F13448E
                                                                                                      SHA-512:F5433FF6422E8CFAE794D84EA4996AC1A284B3A5B455028BC296CFA14EEC1D7E66FB5D1A741C7EEC32A94C0D6F30CA1A746BF13A1AD5180428AEC7E93FE29EB1
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................8.....@.................................L(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.7233141405495465
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:y6xWA3W4aW/NWgNyb8E9VF6IYinAM+oCIJ8+:yaBbEpYinAMxCs
                                                                                                      MD5:17A8D0B92AFE0AC51D0FC1B099A10E79
                                                                                                      SHA1:E4FCA15B61A4F453C6C04214B9392CA1952811C5
                                                                                                      SHA-256:64F8EAB6554162F3BDA95CA44402C1CD470E74E236E6C7C9A2B594DE0613CD15
                                                                                                      SHA-512:7E53167BEC0B758C74F6E1DB22A495843C921320BB5395B505847F81EBF17D541D06429DD3FAA066E39438EFC9CA1A0BFBA0FF11CACB1DFC978AC4C40A13F24C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................9I....@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.954765148782394
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:7784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRvc:77N1r9KGI04CCARLvc
                                                                                                      MD5:B0198470EB44D27E51D9F5818F4B26D2
                                                                                                      SHA1:828733ACEC782256A947FBFC0C039C1AE9F075AA
                                                                                                      SHA-256:C9AF9310D3F5DCF8B999AFCBF78B864ACC8B974F4F5B12ED3945CADBE7785082
                                                                                                      SHA-512:7D0337696D05516DA8203205515A3E6CB081C3EB8BAC1606903F2DF239D3A44771E1FF031B7FC9E67B85AF23D8DD04B3AF7670BE8D8393CD5EB0A8A4F8E3B922
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`...... !....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.854248517746036
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:mr97WquWeNyb8E9VF6IYinAM+oCkp9R3Wbe5:mRJWEpYinAMxCedKA
                                                                                                      MD5:341CD9B332F24C4C7E53531164666F9E
                                                                                                      SHA1:A07A58F26C5FBF41DA3456CBDC796ACDA69B2EB7
                                                                                                      SHA-256:D14874711A9DB1FE279F759780AF2D75CFB24AEF27CD2BD7C7EA984B13B41807
                                                                                                      SHA-512:CA4A830F7733BFA4F734C406136B60539D7C7C842E4606FDE04594792EDFDC70A55EE23A182EF38CEF473D5003F6FB5846DC7AE26A85F98CCF013FF4E6783975
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................9.....@.................................\+..O....@..................0(...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.794085088631407
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:R16eWLDW1Nyb8E9VF6IYinAM+oC44iq5k:z6LIEpYinAMxCqq5k
                                                                                                      MD5:6F9FBDB014EFE1DB688C627EBAC7D417
                                                                                                      SHA1:3C574F015D8D8D4B518A3046ABC740868A067CEB
                                                                                                      SHA-256:C2742EA58FE3BDBE6FDC70EE7902E4D17FE701EDB8C4F2B5320C2D68C84C0C5E
                                                                                                      SHA-512:AB35E8F5EAF790E4D3376F3CC48CE110061042C9860A0EE7713070A4B8F81E0311BA1448257D69712C8858F367270FA2B3E64CF2BD62CAC645B35AA425CACCB5
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................."....@.................................|*..O....@..................0(...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16944
                                                                                                      Entropy (8bit):6.786517559975683
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:l8G4YC2W+wW8WpwW3Nyb8E9VF6IYinAM+oCPVmR:qGZ5ZEpYinAMxCQR
                                                                                                      MD5:684BFCEDF10E7B1C8DADA304444168BA
                                                                                                      SHA1:A8F418C33C7A1F874546B66CCB565F0FD44FD7BD
                                                                                                      SHA-256:D566DD2D463213EC388502E81F4918630642C1C55EFEBF4E049E528757CC7C3D
                                                                                                      SHA-512:95EA23DB7A555B9B2178BBE52FD79C16E4DAA6874F4672A9D855CE8D41B4EEA5AEF7DBA5298C2447B916FEE99414F5CA896E3E1FE53DDF42C74A95DC898D7516
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ....................................@.................................z+..O....@..x...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15408
                                                                                                      Entropy (8bit):6.898142113844479
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:96ziqTEkGWvRWpNyb8E9VF6IYinAM+oCKPITS:9YT1yEpYinAMxC0cS
                                                                                                      MD5:73F2E9747A6A2B63D1113DF842EF2255
                                                                                                      SHA1:727586913C26BBC7B234A157A7C1B9515D14BF7B
                                                                                                      SHA-256:DAB74A74DD09058C4CE7BD87317660753E89F651E95B780C867AD210B455CD29
                                                                                                      SHA-512:048F3C1AFCF5AE4CAD212A4749A7BAE5500DC859FF1A9599CFCF9632CD7581782EC517992D4F00D540AF510AA2D5595634691355EC300873ED79901B229EA484
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................0.....@..................................)..O....@..................0(...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.809623495878564
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:VUv7c7iWNCW9Nyb8E9VF6IYinAM+oCILeq7/:VM7c1VEpYinAMxC0R7/
                                                                                                      MD5:E2229C7506DF972C642D65097EB7E8CE
                                                                                                      SHA1:1063EE34789DAC1D81239B4F1E50BD037E017F9B
                                                                                                      SHA-256:7E57A50DCD9DE1E3312EE74E967A9993EC61E4234A2CB8503B4BED9E817093D6
                                                                                                      SHA-512:C9EA65CB82E766439266D11DC9B2D6C055C56BE4C35EBBB7960F15BE766D835C75F38E1437F3B1103E16CACABCE4BC5CCE9A13A5641F3335B4A2096CA01117F7
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ....................................@..................................*..O....@..................0(...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15920
                                                                                                      Entropy (8bit):6.853233808770002
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Th+vxmNWnRW5x+Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8C8cosq:T0SWnRWmNyb8E9VF6IYinAM+oCIvsq
                                                                                                      MD5:D3292C8DCC7F14ACB5D84354BF301DDD
                                                                                                      SHA1:832FABE728E43F6AA4C0C005F52781C1EF6319D2
                                                                                                      SHA-256:527D1729C7BC55FDC88771FB13237CBD9D78DA0023997E854FC723C3C612686E
                                                                                                      SHA-512:ACBDED154B6F3A0EDB74B22EEA44DCD3A4F5610A750FE7291437D8144EA9D75BBFCAA58156CB4328EC16A39D3E141D71B286D4A977092E7E59DF693AFD73DD01
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2355
                                                                                                      Entropy (8bit):4.9802955226045516
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:TQ/s1zRs1ziVNn7pItUdSl4s1zRs1ziVNn7pItUdSc:TQ/gn/7p7Al4gn/7p7Ac
                                                                                                      MD5:29BF9E8576CDD9343BEC2F553461E639
                                                                                                      SHA1:CDC2005F528B8BBD4685E1DCD1CFBDF78006B450
                                                                                                      SHA-256:780AC753F7F192560C68FB45B89DC67D2E59BA5B0BD0FF7A9BA3195C461DD4D7
                                                                                                      SHA-512:7A0B53EB3FB50A8F54F74BDA471FC76CDE2DA2319F83E5ECF0CB7833EC0B3D88B2F1ABDED203F6AB316251AB0225674B9BCA883A357718FDA4BB57086CE2985B
                                                                                                      Malicious:false
                                                                                                      Preview:2024-08-29 04:34:18.7922|ERROR|AgentPackageOsUpdates|Error executing command, args: getlistofallupdates..exception: System.AggregateException: One or more errors occurred. ---> System.Runtime.InteropServices.COMException: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it..... at WUApiLib.IUpdateSearcher.Search(String criteria).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WuApiService.GetUpdatesByQuery(String query).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WindowsUpdatesService.GetUpdates().. at AgentPackageOsUpdates.OsUpdates.OsUpdatesRetreiver.<Get>d__2.MoveNext()..--- End of stack trace from previous location where exception was thrown ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw().. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSucces

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):92720
                                                                                                      Entropy (8bit):5.483627118870135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:B2Ec05j4eAH64rh5fSt5T9nFcI94WX7Hxcl:QlK4eA7mDmWXKl
                                                                                                      MD5:17B53AFB0FDB248CD2ABE749065B8801
                                                                                                      SHA1:C314274B96EC31B3FB668598F55675B2D8169965
                                                                                                      SHA-256:2B58002EECD2A5B793CC63F363189EE0FB78D654A63955FF09A0D38B5D04CCB6
                                                                                                      SHA-512:FDCF6ABF40F4B6CE679E1F1EE54B1A6553445BB885A97666220461FD3601B949A8A2E98C3075A442D2A7497204CBA55BD5F0F9BC2830CAE0A801E220E28E64C9
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ...............................c....@..................................U..O....`..,............B..0(........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2725964
                                                                                                      Entropy (8bit):7.999917199181124
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:49152:CTP2oXCniIA/ZMtub7ID8jy5MswqKRMgcveOpQfWw840AjROyvihIUsnLY8i8S1X:2BYiZc1z5Ml5dcpvi0ryozazGX
                                                                                                      MD5:87E0691D3B8DCB446AFF3C1A43BF53F1
                                                                                                      SHA1:572385F4DE28C78487811FC20DBB1DDB95DD7D49
                                                                                                      SHA-256:3E9F7558B5671E5125DA7C6C1975E49C907DF16518D899AFA7FB111526B2DA3E
                                                                                                      SHA-512:70D8184657E4172C64D6D876D2C99553A8BFED0BA5F25C3F5AD3A381D509A4C6F75BB95F1973B91D3B2E387D7AF615ACC2930A23842EE90180B5ECCAAF74FDD9
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......X.Y..+.........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....0........i........4.M..s...9.CJ.%.cf...&..w....hG..L...|...T...ZI.w.%.hUa.....E^[........mt.~...........,..k...DnN.(..6.K.1..8...!..J.u..............s..b>..z.._..`.Dr.mbW*.f..P...Xw.?.....O".9..l.+.r.0.K....t..g.....V.'..lDL.\.....o........-Ay.Im;D.;.7...H....Qo...a.lg3w..9....i.yI......V!t..V.... .cuB}....C.#.....*........[U....K.t.~F.&Y..+H.p..8Y...a(.{...3Y.....@.E..S....$.s. ...V'.U.....L.......s.r|.-u...7"I3.ZM....Sh.W..-...0....+sY.j.K....z.Sx.%5l`e6.D`...M.;S..T.7....).g....P.).m.&.....y-.....Y#4.V`j...;.........U....u......X.n!.s...x...b..P.\kh.R..t"..h.M.L..,.}b5...^.H.B..:.........._...^..{..!..s."......._...JQ\bkPc...._.E...i..c..x&]r3.".T6....R.....S.]..v..j....RU./..R3P...C._..K6D.d..?....'S.u.Q.Kv..3.+t....#R.. )......<.o...H'.t...,..T.l...q..l*..\..r..w.f..Ue..}A....!....3.3.S>.....p.1.T.yv) T......r......d....;...]..t.#O..5.@......

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):53296
                                                                                                      Entropy (8bit):6.250578884773528
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:7AKn1qFDGSB/5mT+iZ7qVl91fXIux6HtaRtYcFm7B6KfEpYinAMxC6NO:MKn1qFDGT2Vl91wk6HsBm7BlY7HxA
                                                                                                      MD5:6E034C46991A649567D61B8124D6E59F
                                                                                                      SHA1:521E87BF75E0E17F6F9AD7805C1BABB0C546B97C
                                                                                                      SHA-256:BE13A7F910F96B492C76A52CCF52E1D800BBDA00236827DCB946759427650254
                                                                                                      SHA-512:C8B5B78674250B1935E8C9BFACFB58318C7541601BDD8DA64A388775C743C107900C8699B21838E87B323ABA5D2451F94255CA11FB26B5D23C74289E89FE7520
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f.........."...0.................. ........@.. ...............................2....`.................................d...O.......................0(..........,................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0N...a...........................................................0..........(.......(....o.....(....r...po....o......o.....o....o......(....s........s......s........o.......*..,...o .....,..o .....,..o .....,..o ......*..4....W..b........O..n........F.2x..........|.........{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(!...*.0..K....... ....(".....i./.*...............&.........K...%.. ..o#......r#..p($...,.*......s%.....s%............r;..p(&...,/

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):776
                                                                                                      Entropy (8bit):5.037356665456624
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGp2VYF9LNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:JdszvPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                      MD5:336CAA70D9EF388EDF8B234E5FC40CEE
                                                                                                      SHA1:864CCB7643FC99313E5ACBEB59D608CD179E01BB
                                                                                                      SHA-256:9BB07566C5CEAF46CFC1164A63553BB3C00AD8A04138211C6EBA81B60F4FE355
                                                                                                      SHA-512:EB037FF55C7D61A4170A9143B7BA40CC43DDBC9E8DF673D7AF03548C27C4410F53A5CDFAFE8942559B9E5061419512F3C8FAA5A6D32ED147DD33F832CF43E637
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhXWo:WBd
                                                                                                      MD5:C91AF97F5D31DA1F8587189542A14906
                                                                                                      SHA1:7A552C0BE3A8C7B82F5FA83FF78ED0FB0B9457C2
                                                                                                      SHA-256:A64001C3764D8F56723ACB78FE86FAE386609E98F61B7625A7419C58E2B55316
                                                                                                      SHA-512:CD2AE3F50BC7E33954ACFCB4A3DD97241A820592A90657CE9B2380E869EC192E719CD69475422B2F74156F409D0850C56B21A4C8D1FC643BC7DD8DA16166A5E4
                                                                                                      Malicious:false
                                                                                                      Preview:version=23.9

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96816
                                                                                                      Entropy (8bit):6.1809368759805565
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:fJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJd/50vks00UfafgVU7HxLW:fQUm2H5KTfOLgxFJj550vksVUfhVUhW
                                                                                                      MD5:E5A53B1B8DB89B3965134FE3CB8DF7B0
                                                                                                      SHA1:B7661710B26F04A4AF6E530085BD9EFAF507A31B
                                                                                                      SHA-256:4DD785220EB7EB9F8114AA8AC125649EB7AE79685A7A9A6F7819B7C1011BF752
                                                                                                      SHA-512:266281D307ECA1F2107CC2A71E0B4A1A7105219E74F4FAA0CB93C791FC0AEACE28D41A541755078A72F1EFC2A9B6AE50F4C84F334080DAC129D9FC99022456B2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..0..H..........zf... ........... ..............................LQ....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):670
                                                                                                      Entropy (8bit):4.870186870231866
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:5lh3rwhI4IaMFj27/tUYCQpU0E+dqo6rHQknd77psLlO:l334IaJUuU0E+QHQk17psLlO
                                                                                                      MD5:B4ECFC2FF4822CE40435ADA0A02D4EC5
                                                                                                      SHA1:8AAF3F290D08011ADE263F8A3AB4FE08ECDE2B64
                                                                                                      SHA-256:A42AC97C0186E34BDC5F5A7D87D00A424754592F0EC80B522A872D630C1E870A
                                                                                                      SHA-512:EAFAC709BE29D5730CB4ECD16E1C9C281F399492C183D05CC5093D3853CDA7570E6B9385FBC80A40FF960B5A53DAE6AE1F01FC218E60234F7ADCED6DCCBD6A43
                                                                                                      Malicious:false
                                                                                                      Preview: Copyright (c) 2017 Chocolatey Software, Inc... Copyright (c) 2011 - 2017 RealDimensions Software, LLC.... Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.... http://www.apache.org/licenses/LICENSE-2.0.... Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for the specific language governing permissions and.. limitations under the License.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960474505704917
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:bBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUg:bBA/ZTvQD0XY0AJBSjRlXP36RMG5
                                                                                                      MD5:4C7831F91F22C4329B35B60687D4FC00
                                                                                                      SHA1:3B867787EF3B6207310250EFFD192D6DFF209C9B
                                                                                                      SHA-256:F9A13F6AD27604B8DF15F9A42203413AD211EA43D0CDB9B19957CCE3C94A3F46
                                                                                                      SHA-512:EB33DC0A1C65934C5A22764A0A951B2309BA5F27F13CECFF91FF91E0B3C8DBC633E37BA11C55F88D24D9A584B8F1F8653AF866053DB6F468AC71C56C249ADC0C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......B`....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):50224
                                                                                                      Entropy (8bit):6.202750116213148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:0SrEZvG2rO17QaCg2zJMnLVPPKctfhSm6EpDWJkBnCvZuSEpYinAMxCA:JsG2KuD7iBnzz7Hx7
                                                                                                      MD5:5F703134E04CA2F1D499592C3A649FFB
                                                                                                      SHA1:9B365DA17EBD8C341C37DD914B7806C55A073581
                                                                                                      SHA-256:A91E9AED1DCE65F7A6C2D87CBA17087ECC5B6BC2BFB9955B416B81F98F9E01AA
                                                                                                      SHA-512:A356E2A0663001407D01A5DAD533C428E495E55F5C2531AE0915C2F8127528E46D96412EF6CA1E6B1B3679CD7D7F84D2B5C4FA1B9D38306F8818BA01E4942512
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x............" ..0.................. ........... ....................................`.....................................O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........J..|f............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):662
                                                                                                      Entropy (8bit):4.952846219984862
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:TMHdGzNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:2duPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                      MD5:0F638DECEBA5011AF737C29E90C20F6A
                                                                                                      SHA1:1484B6084C8231231C7C472A57E6835B4A3EA146
                                                                                                      SHA-256:B50494F0DDF2AC7DCFB74BAE526E74F67FF501AD0CD5B712834829DAD9563368
                                                                                                      SHA-512:0E26D3AD25DE0FD761D4F15E714AA136C19427AA02469BE8A1D0CE639FFC398E798BA30F19DBC77C8A231FC1B849D07A88C2BDC797C9D191847663F15ECA2917
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\08-29-2024 04_34_22-log.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):301
                                                                                                      Entropy (8bit):4.898878940140915
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRQQgb5kBm7ObCDL7fsDPV7gRvgOBLy:pem717f8PV7UQQ6em717f8PV7Up9y
                                                                                                      MD5:F5ADB4BF688F888451346501914E801D
                                                                                                      SHA1:B7103D27E3A34C5EA878D342FEE1C317234274A7
                                                                                                      SHA-256:D3524D2EEFAD5EDD967349655A68F23475D7C78B5BD97731AAF7AB353F277245
                                                                                                      SHA-512:4B517B4260D8F67443E5B581AD4AC07EF819C46B7B2504ADA75E26049D09176548E30CD469501ABC9CA35F1FA62B6FB2FBE218F39A4D85D786F511BE39A5EE2B
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\08-29-2024 04_34_22-log.txt, Author: Joe Security
                                                                                                      Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Enabled allowGlobalConfirmation..Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...0 packages installed...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\08-29-2024 04_34_23-log.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):436
                                                                                                      Entropy (8bit):4.905081788666757
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:pem717f8PV7U0WCRFPem717f8PV7UO+fo6BNVB:pVR897eopVR897N+fo6BNVB
                                                                                                      MD5:9683C2504D40159F61B3959C0A32CFBF
                                                                                                      SHA1:8C48078C62E591E0AC0C4DC193C34549E3F68B9C
                                                                                                      SHA-256:60ADB7E66BD8BC30D38511ACBC518E75436841E92A0D794C1ADC2D80DDA795B0
                                                                                                      SHA-512:B1B52F942383154B1B14E450ACC3122747D35032F6433E8C3D1B210E658CB65EB3B7A17D2845B0201A6013B7412BFF912B58C77A7A314AA525CFFE0727CF3D2C
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\08-29-2024 04_34_23-log.txt, Author: Joe Security
                                                                                                      Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Nothing to change. Config already set...Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Outdated Packages.. Output is package name | current version | available version | pinned?......Chocolatey has determined 0 package(s) are outdated. ..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6655024
                                                                                                      Entropy (8bit):6.267134376801171
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:98304:FCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIw2:9lV1qKpkfqbjeGVr4NHYJ60B2
                                                                                                      MD5:5EF9992E5A127EB43285711E5ACBC07B
                                                                                                      SHA1:2DB7BB0FFF5E516BC5524BB340554DAE5FF44C1F
                                                                                                      SHA-256:4D756FCD37CD44EB88C9E349B783E8314A0460954F0507E60BEB389514E4773D
                                                                                                      SHA-512:41B364356B95A06E7B578C16B4E5B1A4401416A850C564AEF95D050D06603D167030A1645EFD9733D822CA1D8B3DB4C7FC68CD2904D6A6B0DB3D7F72B2E87D63
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.......e...@...................................c.L.....c..............de.0(....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9380
                                                                                                      Entropy (8bit):4.897876021534469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                      MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                      SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                      SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                      SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.8132.update

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9380
                                                                                                      Entropy (8bit):4.897876021534469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                      MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                      SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                      SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                      SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.backup (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9380
                                                                                                      Entropy (8bit):4.897876021534469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                      MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                      SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                      SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                      SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\ChocolateyTabExpansion.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (965), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12946
                                                                                                      Entropy (8bit):5.132019659587194
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ctpHjcTfbZO0g2ZyAvGZkAsoXCxAziDR/67E4Pb:ctpDBCvGZkAsCCxAziDR/sF
                                                                                                      MD5:0BB54C9DA241E0EAAFB6C976AC07EAA7
                                                                                                      SHA1:045808C9106A4C356AB15A2D8680FDB737DC98A6
                                                                                                      SHA-256:071CE6FCE85051E373C1B05BB82A92FFB8BEBF34C768B7A2F6E809000A78479F
                                                                                                      SHA-512:C118C9FEC5903D1F2F6A6FA070130FCEBAAD70AF3459DA82069C5C8ED3D66CEE374C098C6247CCD528187B6856FAA458EBBD8B6F2C0C68C2A5B8EF32C2D7CD75
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# Ideas from the Awesome Posh-Git - https://github.com/dahlbyk/posh-git..# Posh-Git License - https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt..# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/....$Global:ChocolateyTabSettings = New-Object PSObject -P

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyInstaller.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3903
                                                                                                      Entropy (8bit):4.986280475081154
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKoqWJBYc4R2wf3TQJb3jl7t3iv:cSyL+QGXHMWJB7VFUv
                                                                                                      MD5:1CF35331F337493A5B5B8C482E32B507
                                                                                                      SHA1:149D5B5ABB4FF20CFAA333946BAAEC6B8EFA5630
                                                                                                      SHA-256:CCF763934E3801002C260246316DF70C64C66E7721C24B300C634567F5885A39
                                                                                                      SHA-512:03652CA25D2A78860F735B57600B940D2723DD23E24A2632D5CA76DBFACBF95CD1090428FB6AC23BF945AB20C1C201155CF26161361853DB94A5D85AE753C0A1
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....$helpersPath = Split-Path -Parent $MyInvocation.MyCommand.Definition....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') {.. $global:DebugPrefe

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyProfile.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1178
                                                                                                      Entropy (8bit):5.161789340951933
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cSyJ3554IpgyZA0SU0E+SlHQk1GpsLAjQSDg6pucReEe7:cSyX54pyFd0AlH31KoLKRed
                                                                                                      MD5:610AD6370C8DACB3861200B8827DF768
                                                                                                      SHA1:E6831DF0C1ADB4664BDE6D2D48DCE28CC1918A83
                                                                                                      SHA-256:B06996C9A26663FCF41B2406D12C4597075AB7F94CDD320EEE64EAC9AEA95DFD
                                                                                                      SHA-512:C3A30128443E47D5D38CFD8C989E8317668EEDA6B4E85BEE94B76034479DEC0BED4C980ACD797153259CF0DF2807E79C3B3F4AAADF21E255A35BBDBE2F2E16E9
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# ..# You may obtain a copy of the License at..# ..# http://www.apache.org/licenses/LICENSE-2.0..# ..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....if (Get-Module chocolateyProfile) { return }....$thisDirectory = (Split-Path -parent $MyInvocation.MyCommand.Definition)..... $thisDirectory\functions\Write-FunctionCallLogMessage.ps1... $thisDirectory\functions\Get-EnvironmentVariable.ps1... $thisDirectory\functions\Get-EnvironmentVariableNames.ps1... $thisDirectory\fun

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2892
                                                                                                      Entropy (8bit):5.176658574720988
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RkBibyQwcYIRQcRwAshP5l8kRMCpEMwK/JvoPEY0nzWBIxjO0L5E8bWHtt6rh4:eiAc5HGAshhCQMChR/JsZYzWBeO85Ecm
                                                                                                      MD5:EF32E09F41D2F8234E4482C6B52FFFB1
                                                                                                      SHA1:446185592825F7B7894CC5A9E2FCB4F015B9E810
                                                                                                      SHA-256:ACC5E8AB085FDD00B1C333853D74B1EC15777212A435C2DE8B56A490BE07103C
                                                                                                      SHA-512:7273DE65F571C4302BAC73C3FA3AEBDB7887B923EABAC10457C2A2C329B67979726440ED0C5E190C7728676D9382D4C8E2F4D030336630BC82AC7AE2FB20B58F
                                                                                                      Malicious:false
                                                                                                      Preview:.param(.. [alias("ia","installArgs")][string] $installArguments = '',.. [alias("o","override","overrideArguments","notSilent")].. [switch] $overrideArgs = $false,.. [alias("x86")][switch] $forceX86 = $false,.. [alias("params","parameters","pkgParams")][string]$packageParameters = '',.. [string]$packageScript..)....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') { $global:DebugPreference = "Continue"; }..$global:VerbosePreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentVerbose -eq 'true') { $global:VerbosePreference = "Continue"; $verbosity = $true }....Write-Debug '---------------------------Script Execution---------------------------'..Write-Debug "Running 'ChocolateyScriptRunner' for $($env:packageName) v$($env:packageVersion) with packageScript `'$packageScript`', packageFolder:`'$($env:packageFolder)`', installArguments: `'$installArguments`', packageParameters: `'$packageParameters`',"....## Set the culture to invar

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1751
                                                                                                      Entropy (8bit):5.27319452124258
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLAKFoYlMp9TlxNAZiTxGEXL5FGX/OFchWoCah:cSyX54q90AlH31Koyh9xnFVVc/4oqPli
                                                                                                      MD5:12E0A95C9BD0A49DA769C2927C648DFB
                                                                                                      SHA1:33174164C23D10B43E26CEE56E1A6FB60E8D9F4D
                                                                                                      SHA-256:3A2A002BD7213ECCE52FB82C470B824770A11DEB0A33DDB319A24824CE4676DA
                                                                                                      SHA-512:D19E22031409B216A10815FE606852712EF0136B9056541774DC66AE9C57994DE5A667AE1F925D547D1BCCF6AE9221D939F7CE2BFC87ABC98C634858E1CCAA7B
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Format-FileSize {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Formats file size into a human readable format......NOTES..Available in 0.9.10+.....This function is not part of the API......INPUTS..None.....OUTPUTS..Returns a string representation of the file size in a more friendly..form

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (505), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11504
                                                                                                      Entropy (8bit):5.008896354130034
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXHpi+o8HrDe07ZUWKVjakELFiuPOizDIinqSQ/fa:ctL+QGwKS07ZUOZPpDDyfa
                                                                                                      MD5:9443CB695D075DAA7DE91510A1E35C14
                                                                                                      SHA1:7676604D3C1F0BD26632DC41FCF1310908D422C6
                                                                                                      SHA-256:7095FB2F3F44FEE977D3B53DEE93B952D04325108B090F5F7E8503F758C27F18
                                                                                                      SHA-512:2D0B8C3345B6573F56A54D357BB700D83B3AB5A40DED0AA2DC5A40DAC0523DB86BBC5BAA10CB3B4B1785123B8F32CEC5A86F350AF315A2BFF6885C08BD77758F
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChecksumValid {..<#...SYNOPSIS..Checks a file's checksum versus a passed checksum and checksum type......DESCRIPTION..Makes a determination if a file meets an expected checksum s

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10482
                                                                                                      Entropy (8bit):5.191184135569746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXHphcdudY/xIVBO6zgV6ZlR86nFTDzH0sQsPbnJ8Yc9bTp05va:ctL+QGTqudY/xcBOSt3XHRJNva
                                                                                                      MD5:F740F29F0AC79C7E5BA69B1CF3E6DC74
                                                                                                      SHA1:8F609B5BDCCE295AEF29011858B31608D26E8E04
                                                                                                      SHA-256:550231F4568914C786BF3BDE0FF4897DCE761084D33CFA6D8FD462B34A779D88
                                                                                                      SHA-512:FC567A01086E8E6A55AAD1E3AEA0E9639E2F8C03399728A5421214E1E0CBF726A7D0F7422EBE3CE74C226F27C11C051760CDAD2AFBB5E69294152669929AB05A
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyUnzip {..<#...SYNOPSIS..Unzips an archive file and returns the location for further processing......DESCRIPTION..This unzips files using the 7-zip command line tool 7z.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16502
                                                                                                      Entropy (8bit):5.146477219224201
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXHpWybOWetWKW3VjEve49W9cO1kazvJwKEDbrj:ctL+QGPnetZ2EvXOlybrj
                                                                                                      MD5:CD302EF4E080D330A9DEAFA584C049AB
                                                                                                      SHA1:53B98CD3540A35FF32E1E6DDA2BB3F786FAE23ED
                                                                                                      SHA-256:3E18EB6CF646474E9259E932679E04DF1CC4322E2E354A770F32A0F7D67C72A4
                                                                                                      SHA-512:B0D74A92DFB16CBE799C781CAD2702C6932BA5B15A28EE5AF2FB56A4CFA4317B2347AF227A9484A0536CC95674CFBB89343E3955C2457AFD0D23854963D85BFC
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyWebFile {..<#...SYNOPSIS..Downloads a file from the internets......DESCRIPTION..This will download a file from a url, tracking with a progress bar...It returns the file

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4123
                                                                                                      Entropy (8bit):5.288017280806032
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKotzWfp1Vr4MeAWMK13MqhPTv6ee5:cSyL+QGXH3Gp1VrSAQ3Mqg
                                                                                                      MD5:E564E914B196DAC040D08110D5D8718D
                                                                                                      SHA1:2532E9010D3A67A6FF345F2564A843800DC59CBB
                                                                                                      SHA-256:5AF7D3DC6B44142492B9E31A69352873D43D570D7D4718B2942A67D3D6180951
                                                                                                      SHA-512:06127E83C2BBDA160183D3DC5E51E652E2011C760B561DA639BDF847F085DB3E93E3C5F0B5C12C1114D228C3882E0FBC81418CF9CAA3C04FA837CE0A68574EFF
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariable {..<#...SYNOPSIS..Gets an Environment Variable......DESCRIPTION..This will will get an environment variable based on the variable name..and scope while accoun

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2060
                                                                                                      Entropy (8bit):5.165746374691896
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMfcM1KIcoCtJS0RjhYigLiO:cSyL+4pGXHFKovCZWdQ
                                                                                                      MD5:D4DF76AC88518CA76BD5EC4605C55781
                                                                                                      SHA1:8B540089E4B1AF183CF9D8053043BD4252A8B2BB
                                                                                                      SHA-256:F73E30026DC59EF1B1375FE869347BAE2E02BDC51117E17DD2717E7DE7F712F6
                                                                                                      SHA-512:BC37855DDEEF6BD3BECA66109F3EBE09B82409DD8EB1B6DEFC1ADCCEA397356FB521BC22CA8B7D34A418EB6EAAC1E9B277CBD333251A149C46E104980FBF3071
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariableNames([System.EnvironmentVariableTarget] $Scope) {..<#...SYNOPSIS..Gets all environment variable names......DESCRIPTION..Provides a list of environment variabl

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-FtpFile.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7947
                                                                                                      Entropy (8bit):5.051645140778019
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:3SfwB1bbVPeBlvvJ5nli61sre8+007Oc+pbkmzqMd0yiW:3SfwHBgPd04OHpb3yW
                                                                                                      MD5:15DDE6C604B0BD3A0C1F569BAAC9B91B
                                                                                                      SHA1:9366C80608BB20A9CFD84AD574D561E481F9B0B8
                                                                                                      SHA-256:12FA2C7D770F0AF308D535A3523903F730A2121B2C72D05A9EA7BF9E5AA27C72
                                                                                                      SHA-512:B2DFDC3BC98ADE4486A0CC30E3124F16F9788D6DD8214DF4C6460FE818CFC645EF36FAF03AC99490D0BFEA6A0FDA8646845E9A23C464B13C486E8C8677913339
                                                                                                      Malicious:false
                                                                                                      Preview:.## Get-FtpFile..##############################################################################################################..## Downloads a file from ftp..## Some code from http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell..## Additional functionality emulated from http://poshcode.org/417 (Get-WebFile)..## Written by Stephen C. Austin, Pwnt & Co. http://pwnt.co..##############################################################################################################..## Additional functionality added by Chocolatey Team / Chocolatey Contributors..## - Proxy..## - Better error handling..## - Inline documentation..## - Cmdlet conversion..## - Closing request/response and cleanup..## - Request / ReadWriteResponse Timeouts..##############################################################################################################..function Get-FtpFile {..<#...SYNOPSIS..Downloads a file from a File Transfter Protocol (FTP) l

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-OSArchitectureWidth.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2930
                                                                                                      Entropy (8bit):5.220783998189862
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMBigsroWdBWuzonabOsEahaqTtYkkdrO57XMp0o3jMoF7d3:cSyL+4pGXHFKoySxwn0zhaqT6r8Bo3j9
                                                                                                      MD5:5CE49B0DAF505DBCDA1D6E3B21FCCE88
                                                                                                      SHA1:68B5493F4C79FA198269A211B4B3A981FE06CEBA
                                                                                                      SHA-256:94DC6FBE584FE5DA6333E44F4F0EFA88254A7F78EAC1DE593683A50F33EECD96
                                                                                                      SHA-512:580AF8026407DC485BDFBDED106CF3DFD778A900504BF5A66AE1B14C9A1A7F1F80E7E888A26B42446091D40B61E4F3250E3D1CBD661C3557B05A3275E9522545
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-OSArchitectureWidth {..<#...SYNOPSIS..Get the operating system architecture address width......DESCRIPTION..This will return the system architecture address width (probably 32 or

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-PackageParameters.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7233
                                                                                                      Entropy (8bit):5.212503071724739
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyhrzQGXHHyN604JEtV/OyU/rFPV/LA+N/IwX/G3:cthrzQGA4JEArFPZLAkIwX8
                                                                                                      MD5:5CB5EC1EFD682DB6B436388E63841227
                                                                                                      SHA1:15234AFA9F45671CC89DF05DF9371F125213F5CE
                                                                                                      SHA-256:F34917832A7347060BC1B8DCDD05FD4E5AA1672DBFA6A81DBABE9A978AD4B3A2
                                                                                                      SHA-512:9E7D279B3CF9D737F2D114085FCBBD6AD13F681BF1365109AD20D9998EF20EA28E7703337E12BA5F350BE4CC37B35E5C7A7ED57FF45896D40B3F628672ED2096
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2016 - 2017 Original authors from https://github.com/chocolatey/chocolatey-coreteampackages..# Copyright . 2016 Miodrag Mili. - https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# special thanks to the Core Community Maintainers team and their work..# on the Get-PackageParameters function that is in the..# `chocolatey-core.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ToolsLocation.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3761
                                                                                                      Entropy (8bit):4.908858016895155
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyp4pGXHFKo/jFKv+Q/IT00CSZL5eFYE/:cSypQGXHNRKvGT06L5eFYk
                                                                                                      MD5:D248C571C9B745CD77B6FF016245AFDA
                                                                                                      SHA1:476E0532FA0972690A43C1227C1E50FED6916064
                                                                                                      SHA-256:64CA4E5DF3587448659E052FACF69D47DAB48845929A1D21C386812DEE25285D
                                                                                                      SHA-512:114DF561CFD26AEB535B7804AE5C978F1850EA07F609C502BC745683229E06FB7AD76F04F610CC2A2CE4890FCAFC089202BD96BCA146745CCC6226E0FD63C91E
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ToolsLocation {..<#...SYNOPSIS..Gets the top level location for tools/software installed outside of..package folders......DESCRIPTION..Creates or uses an environment variable that a user can control to..communicate with packages about where they would like software that is..not installed through native installer

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1891
                                                                                                      Entropy (8bit):5.216117200464903
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMo/f0n9WZH78+0tJwHKlkn:cSyL+4pGXHFKozeM6+0kHEkn
                                                                                                      MD5:D7810321DDE3F67CCD37E6280D9FC5EA
                                                                                                      SHA1:052053BEE38A1F79785B40290CC872E4540D6331
                                                                                                      SHA-256:AC936BF04E1890321EEFC321A82F353BECA22633EB0F72DC497F8CF5F45EC99C
                                                                                                      SHA-512:F365E429C4D013D8C0394575FBEC031AFD03991FC8019860795EC3D8DD7CAB8D43C539FCAED0A04C5C6979E5046166CAD5E2F8D6A3CD5688D78AB17411C0BEDE
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UACEnabled {..<#...SYNOPSIS..Determines if UAC (User Account Control) is turned on or off......DESCRIPTION..This is a low level function used by Chocolatey to decide whether..pro

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UninstallRegistryKey.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6009
                                                                                                      Entropy (8bit):5.183782879831246
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyp4aXHFKo+l0Y9WqbUqcN1bLZAiwSVg2SHBjqmnn3seTIIe8bMH/g4F267rTli:cSypHXHyJvIXN1miVVoTIyJ6rT25
                                                                                                      MD5:8BDD492FD645ABC85E1A76BFB3BB9306
                                                                                                      SHA1:0B84BACF023719AAF1F52544FDA4B1542E3FBD5D
                                                                                                      SHA-256:2F11852DCC6C4C45BAA7355A5ABA501846A96DA75B0332A5347D382D876F94C8
                                                                                                      SHA-512:D9B1E7457B71F0DD930C7DD10076FCCB75E2F6AE6E7129FC417F629DE63C34B8448D7F52D733B476BBAC39C2A758444F462CA8839987C6E3C178C592F6212EEB
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UninstallRegistryKey {..<#...SYNOPSIS..Retrieve registry key(s) for system-installed applications from an..exact or wildcard search......DESCRIPTION..This function will attempt to retrieve a matching registry key for an..already installed application, usually to be used with a..chocolateyUninstall.ps1 automatio

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-VirusCheckValid.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1815
                                                                                                      Entropy (8bit):5.188333753523367
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cSy93R2O+4Ipg8AQyU0E+SlHQk1GpsLA9NIrd+aL85TiV+hT0hCmTxGz1echWtLt:cSyL+4pe90AlH31KoMCoaYp4AmVMMth
                                                                                                      MD5:FE5456E477F7D5131DD448942A3AD961
                                                                                                      SHA1:C8FDE141D6D5E6713A13C2A6DF55A07E2BB187E5
                                                                                                      SHA-256:88D9BA7C04A62D34EDB6A913CE00463FBDC82A2986AC9F459E04B75BC1728922
                                                                                                      SHA-512:261AA5F14F8A98638869A509844ECDEE1286B97B131D89A3B901AC2B40F09066CBC1C073D32DDE3EA160FB2C2F971BA0D6785981C6C180BEC5DC4F0D6029421E
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-VirusCheckValid {..<#...SYNOPSIS..Used in Pro/Business editions. Runtime virus check against downloaded..resources......DESCRIPTION..Run a runtime malware check against downloade

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFile.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12827
                                                                                                      Entropy (8bit):5.065872919066253
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:eBbyvHpL71ZxDlVWfYuuiy5nevc/n30zrryM3zE2LoQY+VUqZA:eBgptZxOQt10zrryMFLdYWU6A
                                                                                                      MD5:76013037F6A0E623C39D9D07C20D3BAE
                                                                                                      SHA1:7DC87082B4D2AB36AB08D6826CA209E2CD7C5694
                                                                                                      SHA-256:8FCCA5AA5F0F631FBE9D319EB13C5A282F5DBC1D8D4BC0852021BE0524A6DD39
                                                                                                      SHA-512:9D92B42EEBEE276522103D23EF646DFEC32630E97673B816F51841948C6DD9DA89A89B897D515CFFECED7D14174EF83110FFA4B0BA9F64E1738F083592E696F0
                                                                                                      Malicious:false
                                                                                                      Preview:.# http://poshcode.org/417..## Get-WebFile (aka wget for PowerShell)..##############################################################################################################..## Downloads a file or page from the web..## History:..## v3.6 - Add -Passthru switch to output TEXT files..## v3.5 - Add -Quiet switch to turn off the progress reports .....## v3.4 - Add progress report for files which don't report size..## v3.3 - Add progress report for files which report their size..## v3.2 - Use the pure Stream object because StreamWriter is based on TextWriter:..## it was messing up binary files, and making mistakes with extended characters in text..## v3.1 - Unwrap the filename when it has quotes around it..## v3 - rewritten completely using HttpWebRequest + HttpWebResponse to figure out the file name, if possible..## v2 - adds a ton of parsing to make the output pretty..## added measuring the scripts involved in the command, (uses Tokenizer)..#####################

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFileName.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9247
                                                                                                      Entropy (8bit):5.07010917787166
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSypQGXHQybOdQVeBAmZZ8mumtrUy5nF2wnK0u/obu5OyDucYhr:ctpQG3G1vPS0uQZ2uH
                                                                                                      MD5:CCEF9317BA6E4AD2C5F9ADA169DE64E3
                                                                                                      SHA1:0B03F562CC75CDFB7CC184DA8B8E6BA73A6256A7
                                                                                                      SHA-256:1D10AEC25CE4A010B338041862F485BDA47494A3A0EE154BBA49F48BCFCF0D68
                                                                                                      SHA-512:922BCEFDCC76A32EE81AB0610BA1E256A228075084DE5A85F11D3B67D62F496A86BD59BE3AA5E00EC24E5A2805AD4199D5D38CD05D92D1BBC43F333FBE924D30
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License...#..# Based on http://stackoverflow.com/a/13571471/18475....function Get-WebFileName {..<#...SYNOPSIS..Gets the original file name from a url. Used by Get-WebFile to determine..the original file name for a file......DESCRIPTION..Uses several techniques to determine the original file name of the file..based on the url for the fi

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5960
                                                                                                      Entropy (8bit):5.140316008573171
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKovnYWHVjmlvr79s5nFUFwlmiZn28HeheXeGYDXSqVR2vRtktvS:cSyL+QGXH2QVqlvr7y5nFDXnw0ud3Q
                                                                                                      MD5:510D813D8B844FA9ABCF1CF8B294CE83
                                                                                                      SHA1:B733C7BC5B1EA00C27895DE8BFB337183D9335E1
                                                                                                      SHA-256:58C4E3DE6F018A33E4952AF35EFCCC0B688F1170F733CC10E2C32A33F11A9123
                                                                                                      SHA-512:3D3DA339A6B9CAC75CB940B573703BBA5782D22918637D4399636F0F2787436920D6965F2165E294C68107905D556F115CD8416C97A18B12B7F0207CD7721AAC
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-WebHeaders {..<#...SYNOPSIS..Gets the request/response headers for a url......DESCRIPTION..This is a low-level function that is used by Chocolatey to get the..headers for a reque

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-BinFile.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6283
                                                                                                      Entropy (8bit):5.232086061865062
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXHN0Vk7arlCnBVV+7oc9KYjWndTmw:ctL+QG05rlwguh
                                                                                                      MD5:5617A2B6826D73A80E864B42A3404E72
                                                                                                      SHA1:61522560BF997DD79C6649F0C1D198510E19430F
                                                                                                      SHA-256:9FC392C4558C2579517F24D945D8E1741EB4A5D7893E4E2DCA6CA756443AB328
                                                                                                      SHA-512:B4EA54386B427AC314854AE3584EBF7AEB9E178026346917B05249A28CF831FBD7F87D12CCF56F00DA9C4F55ABC7324E69C4AB9B367258AC2F35960BAFEFADF3
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-BinFile {..<#...SYNOPSIS..Creates a shim (or batch redirect) for a file that is on the PATH......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\b

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4293
                                                                                                      Entropy (8bit):5.147557599553147
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKooCb/InyxVkR8PIoIxAETBXSYG:cSyL+QGXHeCjIGVo8qXSYG
                                                                                                      MD5:06FC3CDC03EC16E85CE73D558D58742B
                                                                                                      SHA1:C73F95322D853B964AD241CD9B1EFD1A6AF8B101
                                                                                                      SHA-256:E6E24F83FDA53709F7EA93F73533314156F1DA0B028FC7BD063BA1720D1A6ADA
                                                                                                      SHA-512:A1BB72C33CC1544432B6E4A3317843331ECB70D954DBFC195A3A6AD3FDF18280F807BF2A9DEC06D036111A46062EE04A87C2D315F4E895D2C7F2DAAF6B4CB48A
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Creates a persistent environment variable......DES

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4549
                                                                                                      Entropy (8bit):5.216765809932499
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKobx0W2Pq44GGVq/r6ck8Tr6ck012gMe5RDJRmR0GRSd:cSyL+QGXHBx03x4rVqDQ8vQubL5HItUd
                                                                                                      MD5:D283FDF0627E77F4745CE26CBB134DDB
                                                                                                      SHA1:D41419D3F8DC3F22B37E5CDE1090CF19879F8466
                                                                                                      SHA-256:C4292F8767BD7E74E85C4AABCDB9EB0ED3B564693AAC1F568EB02FF7529DF027
                                                                                                      SHA-512:A14822AEC4351C106325F1403F79DF444CB53C03CB09AE0FF15169CEC821102A11186B321F9FE8CEFC35932FE02A874E984EECADDA3EC5DCA52AB7EDEE9DB1F4
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyExplorerMenuItem {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates a windows explorer context menu item that can be associated with..a command.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyFileAssociation.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3080
                                                                                                      Entropy (8bit):5.192518177403395
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKoognbqHdyVO6ckUf1eg9DgH:cSyL+QGXHqgnydyVOQUf1eg9DgH
                                                                                                      MD5:44D634D52E391B61FEA2B3311FD130C4
                                                                                                      SHA1:AC5184FA6552AD3D2D58EBD53563ED3238E089FF
                                                                                                      SHA-256:22FA3870EC2455426BD2BA94B5DC82C241D16F1DBD1AC6979787E947B39563AE
                                                                                                      SHA-512:53F5C0D5865DA75816B663CDD4279938401498416A2AD4FD4A7667CC93042D4FBCBC7B2F2F1FD3864CFADBC73908730C6EC7761A77207511861CB277AF8DBF59
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyFileAssociation {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates an association between a file extension and a executable......DESCRIPTION..In

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14313
                                                                                                      Entropy (8bit):5.166123502608628
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ctL+QGm9UIirNuMyrnyBOXOrH2ZoBZiLtM+h1yBPSa:ctL+yG9PKQaOyaBEl1+PSa
                                                                                                      MD5:7BB19403672F88442C8510579DEEA62B
                                                                                                      SHA1:D7685A3C16C53822D696EE3479451BCF1C42860A
                                                                                                      SHA-256:FDAE94594F6DDF60874760BC0E8306422681CE7C177BFA811A625AE74363CCAF
                                                                                                      SHA-512:8383D42946F02B72676BF3F6016C0CFA9355AE840320354111B8E40CD9567F46B558B4B60809BF6F0B1364A1F84E6815DC04B02D2F42078E0057F1990CCC83A3
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyInstallPackage {.. <#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features". Use..Install-ChocolateyPackage when

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPackage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17164
                                                                                                      Entropy (8bit):5.102467977763193
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ctL+QG/i9AUaHrN+eNbVPoC8XdI96LMw9lpWo:ctL+jiKUW+eNbVPHMG9Gz
                                                                                                      MD5:EF3DA9AA21D97701F975F6E7EC05790D
                                                                                                      SHA1:C78F165791049FA3A17218AE2ADEECF79C628E15
                                                                                                      SHA-256:917FCEC8CA28B0EF404F565AAECF7FB850E193326D012583927CAA8BB55FB3EC
                                                                                                      SHA-512:40C18493196A1395EB72629042E0BE98F19CF657E402FF0F21447A238879157534BBCA632C40B047B42C4EA46C9935D40EF53604DCADB5552B8F6D4A5027C809
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPackage {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features" based on a remote file..download. Use Install-

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4341
                                                                                                      Entropy (8bit):5.172978110813656
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMb4lFkF9lr4cr8QCz7rVgAY+AExSNzwdOq7FuRFu7lVENiz:cSyL+4pGXHFKoETMcePrVnxAExSsl73
                                                                                                      MD5:B8FD2F73466C4538F16B753C1707E185
                                                                                                      SHA1:DEEAFE9F90676AC71FDC879D856A5FF312AF0D74
                                                                                                      SHA-256:1134D81094235B52249BD974129142BCE3B9796387C0D7CE71CE68A909A5C6B6
                                                                                                      SHA-512:BE6FCFB5FCBA314D4CE62FB47B3A292AADD6C7FB6723D042FC603211B7DFC20D8E2213132BA0ECF29A00050A0C7640E00FF6638EA499A2C0A33D8FBCFBC004E5
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPath {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-PathType 'Machine'.`....This puts a directory to the PATH environment variable......DESCRIPTI

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2645
                                                                                                      Entropy (8bit):5.278706654776255
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMD+4RXPXbVSPDqA9FM4jImbO2Poq+:cSyL+4pGXHFKoi7bVSe+M4jImg
                                                                                                      MD5:9432BDECB1FAE8A80B302A6216A7615B
                                                                                                      SHA1:80C6C8255413A9B9E2BD8DE14B274DFEF1F6E86A
                                                                                                      SHA-256:20510B09D631C0E5D9E6E4E5F0FC47EF47C1A413FE3F83A2413A2F4E42E1B649
                                                                                                      SHA-512:F6BF39157FB67D7434CCC6F80CF7E13C04302243BE3589D8FF85ECDEA1A19559091BA86FD7BB22671B239F16136ABC8FA84A156477497B32B35E9721EF9B7103
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPinnedTaskBarItem {..<#...SYNOPSIS..Creates an item in the task bar linking to the provided path......NOTES..Does not work with SYSTEM, but does not error. It warns

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPowershellCommand.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9319
                                                                                                      Entropy (8bit):5.106965440646972
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXHni8ybOOeHYlqWKWXVWpRXrHoyf4yc0q1:ctL+QG3ij9e4lqZfc1
                                                                                                      MD5:D95A27860316FF9415C6E59530A4F83E
                                                                                                      SHA1:16CA9BB81AC55A4EE814915F919FCE89634D637D
                                                                                                      SHA-256:F6A1CEB186C30AAD003EAE9B71FDEF4D1DC0D989C81FFDD844C5E9B82EF9532D
                                                                                                      SHA-512:4FBE61563130EF06FC69C5FEEFAD59A6FB4DF01BCA7C289A9E8E7B3D16B06BE8BB652AAC7DBF5548BCDDB7F9EEFC2E739B707694BF18995C645F4715DD43C1D3
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPowershellCommand {..<#...SYNOPSIS..Installs a PowerShell Script as a command.....DESCRIPTION..This will install a PowerShell script as a command on your system. Li

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyShortcut.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7888
                                                                                                      Entropy (8bit):5.219559860002251
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXH9mufXMVW7Vb944B6/yS/LIiP8/HahiJqhx8l91b:ctL+QGtmufXBVbwBPi6cJ4x8l91b
                                                                                                      MD5:B67CDEF057B2B5376CFDBE1F51AC241E
                                                                                                      SHA1:12B3484E2F85D5C591F1DDD178BA71F224BC232B
                                                                                                      SHA-256:D09B2B6B3D43259E79E6778581BA884B526D7A0687C90B19F38EF5B0CA1E5752
                                                                                                      SHA-512:BDBEC684B46B3039C7C369901C618E4D0313588B4AB3AE3A10C20CA89C9F2CFB24430FF360FA63D813B920088C7CE5DE17C20C193E0F5FBE40495A86212760FA
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyShortcut {..<#...SYNOPSIS..Creates a shortcut.....DESCRIPTION..This adds a shortcut, at the specified location, with the option to specify..a number of additional p

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyVsixPackage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8855
                                                                                                      Entropy (8bit):5.1654657712280985
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXHrDorybOY2W/thNuVwBE6nBEvEGYfpxIDcO:ctL+QGNk67zyYpG7
                                                                                                      MD5:B751C9113B9601DC1B66D597F86474E9
                                                                                                      SHA1:E69E72AEAC3BBF5E3DE0C307FE62C0D293FCE36E
                                                                                                      SHA-256:E821C31B1A2C9CF7BB6AF12BBB70D88DC30ABADCBD68197982A0DCC6EEF7C982
                                                                                                      SHA-512:BCA21C385EA43B62CF113D35E3A50A66E69C6CB98BDE874DC38D6B517206456C4B3726825EA962E0F1676FD8ED936C51DD8FE7D85E9C1F3A336FDC961A53A662
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyVsixPackage {..<#...SYNOPSIS..Downloads and installs a VSIX package for Visual Studio.....DESCRIPTION..VSIX packages are Extensions for the Visual Studio IDE. The V

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyZipPackage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9740
                                                                                                      Entropy (8bit):5.124129906660506
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXH5l6ybO41LHHPWUWYhNfhNuVtsYzrPr:ctL+QGJlhXlHvbVPLYzLr
                                                                                                      MD5:A9F2320F7C75DB38BA32DE454DB14F41
                                                                                                      SHA1:52869D1B9C412DC5AB848E1E363A2F1C043A6EBA
                                                                                                      SHA-256:D5C38F705555D2F334308EB27E8CFADA3E1503390A19D99C26810295047815E7
                                                                                                      SHA-512:D40A8228A93F7543D1F447BC2989A5A9714F07F6CDE411801659483A0BCE5BD5696B5631DEC89FE6D4C9DDD87F29002A421627C9CF60EC57A6A93E02F028BE85
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyZipPackage {..<#...SYNOPSIS..Downloads file from a url and unzips it on your machine. Use..Get-ChocolateyUnzip when local or embedded file......DESCRIPTION..This wi

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2178
                                                                                                      Entropy (8bit):5.225120339484231
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoM4eAjm3LeoXPNpxdeVP3YJxxKW2W2VlWp:cSyL+4pGXHFKoZjmnP3OVPUxxO3le
                                                                                                      MD5:5082284C6F295B50B7C28303E52D2770
                                                                                                      SHA1:08D320C56CA725CFC8D558E5C923836EDC369DFD
                                                                                                      SHA-256:D488957D7BEFF9256A176E7EA1F6D167604C175B44746B2B86B7EA0480F8089C
                                                                                                      SHA-512:F8AB98CD8A14ADFA9FED578867A6188F6CBCA5E4361FC0D17D5BAA49818DF7A24BE94C616A8FE6821B75FDCE853D426464BA8E6CE8824E2A47912F26204A8241
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-Vsix {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Installs a VSIX package into a particular version of Visual Studio......NOTES..This is not par

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-EnvironmentVariable.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4463
                                                                                                      Entropy (8bit):5.326623524611151
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKo9LAVZVTfGqqHQ6+MiLMK+SIgEGZkxpU3gZCjfocO:cSyL+QGXHvAVLGqqHQ6waN9A3a
                                                                                                      MD5:C5ADB094F8B04B9D9E4E7FA429D0568F
                                                                                                      SHA1:64A4EC9D365702E1D279F0958B67EDAAC1CCFF72
                                                                                                      SHA-256:A7E60AA5802ADC6E16D105C693819D7B8F5396C9B18BB32D4E55A1C6EDDEE409
                                                                                                      SHA-512:20654DDEBFB81F1AA49BBBA3CF9C8BB2A03DA48C1D14DC63F4C200F8374393430E2515D85EE39B3EC788EFD97F8D442F07D36C06595263D57D6FEACA5B9DE152
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Set-EnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-Scope 'Machine'.`....DO NOT USE. Not part of the public API. Use..`Install-ChocolateyEnviron

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-PowerShellExitCode.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1711
                                                                                                      Entropy (8bit):5.130959499082034
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyX54q90AlH31KofO/OuBT0fkaCVYBt4PHU:cSyp4aXHFKozUVYBt4c
                                                                                                      MD5:73DCA113BBA352B82F814797A5E075B5
                                                                                                      SHA1:B514007F4B97D41584B73A1BFFBE24B37131CCD1
                                                                                                      SHA-256:A4F55463BF3258F02058B8A568A4F650B6DEA54BE1E5851C9339D53DBA2CC08F
                                                                                                      SHA-512:9F0D8D5B5C418BDBD9034EF8BFEBA20D4F1D99B37F4DE7867102E6486BA6F5BA7D9CB5C34E7D9649546B74E81B6E238EB8CBA8BB458C7A0AFBC975B49ED04011
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Set-PowerShellExitCode {..<#...SYNOPSIS..Sets the exit code for the PowerShell scripts......DESCRIPTION..Sets the exit code as an environment variable that is checked and used..as the exit code for the package at the end of the package script......NOTES..This tells PowerShell that it should prepare to shut down....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16063
                                                                                                      Entropy (8bit):5.071535838625921
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cSyL+QGXH8SvdSIVLWDL+G3YQwJOm1JzzN566OdHYrZxmrP17OrnwflAflNKc1+R:ctL+QGRvdSIWDznmzzvOUrIWjKEM05q
                                                                                                      MD5:C653DD51F0E2EF62BBD7F782C8DAE3AC
                                                                                                      SHA1:860325CDDF15E97C487A2351051517C89E414316
                                                                                                      SHA-256:120D4F0ECD7D4AF742CCE72D4CE86EBD960F3FC83FBB58860BECD79147830585
                                                                                                      SHA-512:417FD7B7609E7F002F8915D0E8EDA8EB3932FE3F4F7D88070457D2B08251CF0063C3B283C2129A02BAD6361812A16CDD1F3DFB26F55043181F9680D8B073B32E
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Start-ChocolateyProcessAsAdmin {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Runs a process with administrative privileges. If `-ExeToRun` is not..specified, it is r

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Test-ProcessAdminRights.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1913
                                                                                                      Entropy (8bit):5.085202352125102
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMwr86KhPWBT2TiCWezzwYYm6tFnzXHtQ:cSyL+4pGXHFKo2PD2CWbm6nnzXq
                                                                                                      MD5:12DE733D7CE18AF405D81469211573D3
                                                                                                      SHA1:89C23822D6717F00281EC45FB24F420678B9901B
                                                                                                      SHA-256:F07208BE10E70B4774168EC7C0CC86FC594F1D37D991E766EC46EE335302B083
                                                                                                      SHA-512:38775567CC21292C3E06E6F7A44BC7A3C525CC2A49A95E114CFB0C4BFF2AF7EDAEFB4D09A3FD777482BCB0088507323B5618128B96A4716BE9655010A390453F
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Test-ProcessAdminRights {..<#...SYNOPSIS..Tests whether the current process is running with administrative rights......DESCRIPTION..This function checks whether the current process h

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2897
                                                                                                      Entropy (8bit):5.162176606162476
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMjgAOTJEd4phQ44Yb1eVGXsjlKo9obKB9x/kgeoS5:cSyL+4pGXHFKod+aSZVLjo7m1Ju5
                                                                                                      MD5:B0DDD1F261098CAF4092E78539A61796
                                                                                                      SHA1:6F753444CE488773EC7AD4942BFB79BF79BC2A65
                                                                                                      SHA-256:12E80EA9AA3D894DB1BB1999DD766EF4925ECD59FEC8DEDCABF241DE96E1A949
                                                                                                      SHA-512:5C624D18321916C905287595ECC72CF996F24F27E68E22F35C1D07AD7004F579EE64D3E0AE5AE6867DE13A02E61F9893D3DB848A82D41FEC309C77DD88752F75
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyZipPackage {..<#...SYNOPSIS..Uninstalls a previous installed zip package, may not be necessary......DESCRIPTION..This will uninstall a zip file if installed via I

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-BinFile.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3683
                                                                                                      Entropy (8bit):5.175198661740516
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKo2fFecAVuAlxoVGv5nPcdTmqKYDqnShM:cSyL+QGXHc0nVuAlOVGvpPcdTmx
                                                                                                      MD5:FCD698961855179908D84E45C1699CD3
                                                                                                      SHA1:449CF377EA5EEFC250DF24DC64F36F374C3EA022
                                                                                                      SHA-256:093191162E950B4CFDCDD066865C74E47F3F05B3543A9A98A7B82AD98C8236CA
                                                                                                      SHA-512:96C0B5867C19A9F06C81F507102FDBCC270BEBAB132E8A3EDE88CED129E369D282AC5F874B0F0AB94214C41C857EF74735909045AA3FDACFF96C74A38FA7AFB6
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-BinFile {..<#...SYNOPSIS..Removes a shim (or batch redirect) for a file......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\bin`..included in t

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3131
                                                                                                      Entropy (8bit):5.1027007896112115
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cSyX54q90AlH31KoMSta1Qr44qR4MXbVqlzmwETvp6SCodQsV:cSyp4aXHFKovRVKVwETB6SCu
                                                                                                      MD5:256F7D3F77746A9167E513497A1DEF85
                                                                                                      SHA1:0F213C21586F176C405C1877C6E7D2FD5B8E85AC
                                                                                                      SHA-256:4CE0A48B7A6D6FE997324F7F916DEA532754E4C371CEE38CACE5134EA1D3A101
                                                                                                      SHA-512:763263F5E68A1CB7391394570A7CCDDAF518A1522E3F0435EA62848631A03CF278E15F6375F02C0466CBEEBB4365BA419ADB3AB6549BA3BCB09C9BB718825F03
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Removes a persistent environment variable......DESCRIPTION..Uninstall-ChocolateyEnvironmentVariable removes an environment variable..with the specified name and value. The variable c

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyPackage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6062
                                                                                                      Entropy (8bit):5.047713257621158
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKoQ79vUU2ZTooaYjuVSQPsVeqYQfiyLi9xSQeSDHyXfOWQfpQf6:cSyL+QGXHweZdlFV8bQ7ov
                                                                                                      MD5:39599553B392FDEA36398A474FD623F2
                                                                                                      SHA1:89587AEDEC8ECADD274EE80EE43101032A55BAD4
                                                                                                      SHA-256:716E51F45EA009C6AEC10F123C58A837516E59910CD0DFB274DF0FF6A56EBF08
                                                                                                      SHA-512:1BA55A2CEC0EA911B3418FA8B1979EE8EF45C16033C82F1794416CA85D8F7D9B2618855008F8014BD1FA2A8466ECEB9E36A41E985122F8D04C765051C6DAF5C0
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyPackage {..<#...SYNOPSIS..Uninstalls software from "Programs and Features"......DESCRIPTION..This will uninstall software from your machine (in Programs and..Feat

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Update-SessionEnvironment.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3611
                                                                                                      Entropy (8bit):5.0574071891740795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cSyL+4pGXHFKosxHb1u5jen+UMGeKJ1qeg:cSyL+QGXHWp+i5MzK/g
                                                                                                      MD5:AB7F32D92867D5CC52CB177374C656C2
                                                                                                      SHA1:ACB20AAADD71C921899DE91640DA2AB5F78984CA
                                                                                                      SHA-256:A1AD9ED3C049CA14C7970AA17CF5C6A28448E70FF2BE4E438A61C6DAB68E82B7
                                                                                                      SHA-512:22295E4C289EC0057B3F13A3B9C18B9B02CC4379D8E1F4F6FEBE48A45A05D92A5384EC158E4370CB5E67F33751377C2CD81C4F8E555145C49BF7680FE545F905
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Update-SessionEnvironment {..<#...SYNOPSIS..Updates the environment variables of the current powershell session with..any environment variable changes that may have occured during a.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Write-FunctionCallLogMessage.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1974
                                                                                                      Entropy (8bit):5.219633769893594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLA9i9yVMppqTDf3nQytTxGEN8X/+nKB0chWqc:cSyX54q90AlH31KoMYpqfvVF2M1zrvn
                                                                                                      MD5:6A2F945A16F003443B3C14907163C357
                                                                                                      SHA1:EBDDA9AC96E6F71D0BEED493C5074F2CAFE638C2
                                                                                                      SHA-256:279171398D6F65221D4636DA730AB2F07C6DD56321BF76A03D0CA7D3D7B0B574
                                                                                                      SHA-512:C09FC9C169D5197B841EED9D44135F43AA8D11CC0463A567E922FE019545C9036542AD40AF5D64B808AF92E143787A8231CBF4F5B8A2F8F94E48614E8E06EFA0
                                                                                                      Malicious:false
                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Write-FunctionCallLogMessage {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Writes function call as a debug message......NOTES..Available in 0.10.2+.....This function is not part of the API......INPUTS..None.....OUTPUTS..None.....PARAMETER Invocation..The invocation of the function (`$My

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):280624
                                                                                                      Entropy (8bit):5.69143427619248
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:8G0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC7:8JrycoB3HVeESME3pnaVTS1nh7hCaO
                                                                                                      MD5:F9450AE9B1DAF75A772A5CC8D359DAF6
                                                                                                      SHA1:C693C23797E103DEFDB6FFCD95BBD35FDEEB50BF
                                                                                                      SHA-256:BED3F5FDA16870BD55C2BF43ED48C8BE610DDB5D1C17E8E501F8273504A2E04C
                                                                                                      SHA-512:05825B0FA8B4E54D8882C084144148F82F125A18C95F14BD6A0F9AEB394B393F6F1DE6B180D8E87E24D7925D89A1C727A3A15EB1C75511E3EB3FE835BC563CA5
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......Q....`.................................h...O.... ............... ..0(...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):454
                                                                                                      Entropy (8bit):5.247529637694387
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:zGYem717f8PV7UqGh/QzQYem717f8PV7UaA9y:zTVR897hk/6VR8972y
                                                                                                      MD5:47EB75A8CFE21491F71C031D723AD9BE
                                                                                                      SHA1:F9FE5D81EA1BE37442F0A6E2B9B4A49DCB0E39A1
                                                                                                      SHA-256:96BCC4EFBBA620D36708928ABF89C258C0487FDD4D1D64ACC5934837C2DDD9FA
                                                                                                      SHA-512:069740EB435042DD05627D00EA4E17DD399C105DE5150F21146FDBEA51B3A0B58498C67CB5C3E4433F553D2E0F65E16B030744DA2CACE31886F2389DA1D980CE
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                      Preview:2024-08-29 04:34:21,919 8132 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-08-29 04:34:22,169 8132 [WARN ] - Enabled allowGlobalConfirmation..2024-08-29 04:34:22,231 8132 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-08-29 04:34:22,450 8132 [WARN ] - 0 packages installed...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14121
                                                                                                      Entropy (8bit):5.4330984447382855
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:RZFyGiCe2AdC5CzVhgH8TdItU+cAUDgxiW81Ri5e2AdC5CzVhgH8TdftU+4AUDEi:83C5CzzhdItHcAR03C5CzzhdftH4AQ
                                                                                                      MD5:2651E98152C71AFBC1CE70BB7E62E7D5
                                                                                                      SHA1:93F6ECC5FCD55B2675430467862109BBF97B2C4F
                                                                                                      SHA-256:1BC1E356E01A9942F734BF07EF5290939DD083F119FAC4DE1C277C1B3CC6DA35
                                                                                                      SHA-512:41EFAC0309251637EB007F2ECE31DB49791FF143DB969C9B3428266F610FCB04F3DA9B9ABAC2727383A11B897F12BD15A7B30E6A02F39F77E5BF8066422E42F2
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                      Preview:2024-08-29 04:34:19,325 8132 [DEBUG] - XmlConfiguration is now operational..2024-08-29 04:34:19,450 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers"...2024-08-29 04:34:19,513 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions"...2024-08-29 04:34:20,294 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects"...2024-08-29 04:34:20,388 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools"...2024-08-29 04:34:21,059 8132 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config"...2024-08-29 04:34:21,669 8132 [DEBUG] - Attempting to create direc

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with very long lines (3776), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3776
                                                                                                      Entropy (8bit):5.604628336524123
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:23ata7rZHJfOIdTl/HMSId6k/ShIdHhIQdlzb1kIZK/:23atsrZHJfOITdHZI6k/ShIHhpdBb+si
                                                                                                      MD5:8B277EE8096AD21AA39B9C7DAB767D0A
                                                                                                      SHA1:207E52B09866C63D42E8625594406F87EB59E70B
                                                                                                      SHA-256:EBA661246A0ECDE5F0C9DBEC2FF3CFEBE9BD755D56DE1E42F71252F562C678A9
                                                                                                      SHA-512:610152C5639F86204BC3FB72E800C584B2BD890AFF69E80039A0D8E0BB4F1AB4D33FF9148C6B9A30F7E9B504F1A6CD8ABA81B90FCDDA8E49830F13ECBEB1449D
                                                                                                      Malicious:false
                                                                                                      Preview:eyJJbnN0YWxsZWRBcHBzIjpbeyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiNy1aaXAgICh4NjQpIiwiVmVyc2lvbiI6IjIzLjAxIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDA2OjUxOjI4LjQ1NTM0NzMtMDQ6MDAiLCJQdWJsaXNoZXIiOiJJZ29yIFBhdmxvdiIsIlNpemVJbkJ5dGVzIjo1Nzg5Njk2LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiQWRvYmUgQWNyb2JhdCAoNjQtYml0KSIsIlZlcnNpb24iOiIyMy4wMDYuMjAzMjAiLCJJbnN0YWxsZWRPbiI6IjIwMjMtMTAtMDNUMDA6MDA6MDAiLCJQdWJsaXNoZXIiOiJBZG9iZSIsIlNpemVJbkJ5dGVzIjo2MjY3NDUzNDQsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOnRydWUsIk5hbWUiOiJBdGVyYUFnZW50IiwiVmVyc2lvbiI6IjEuOC43LjIiLCJJbnN0YWxsZWRPbiI6IjIwMjQtMDgtMjlUMDA6MDA6MDAiLCJQdWJsaXNoZXIiOiJBdGVyYSBuZXR3b3JrcyIsIlNpemVJbkJ5dGVzIjo1MDYyNjU2LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjpmYWxzZSwiTmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJWZXJzaW9uIjoiMTE3LjAuNTkzOC4xMzIi

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\RefreshEnv.cmd

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2340
                                                                                                      Entropy (8bit):5.120693108028518
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:WJhzy3v9zec4JksG5A10JZ65RhS9JlqUp7B9nplD6e7B5yg:42V6Q5A1B5C9L/
                                                                                                      MD5:B4326546C3A252494DCD512976F8B89A
                                                                                                      SHA1:09D10EA0ABDBDE8C2B5BAFE410ED3B96AB0076C8
                                                                                                      SHA-256:9B251737A6B6ACE9FDE45B64FD653B04575C6416F15112FBE1697A47B14990E6
                                                                                                      SHA-512:E58EDC6DC66A289358E7FDE7C3F1D73A0EE1F7A6DB382DD1318FAA205E12271C081617B8366ECD1FCB3A0BC5A98F4B0F0C389C99A63D9EDF7CE1BD230AC85EC2
                                                                                                      Malicious:false
                                                                                                      Preview:@echo off..::..:: RefreshEnv.cmd..::..:: Batch file to read environment variables from registry and..:: set session variables to these values...::..:: With this batch file, there should be no need to reload command..:: environment every time you want environment changes to propagate....::echo "RefreshEnv.cmd only works from cmd.exe, please install the Chocolatey Profile to take advantage of refreshenv from PowerShell"..echo | set /p dummy="Refreshing environment variables from registry for cmd.exe. Please wait..."....goto main....:: Set one environment variable from registry key..:SetFromReg.. "%WinDir%\System32\Reg" QUERY "%~1" /v "%~2" > "%TEMP%\_envset.tmp" 2>NUL.. for /f "usebackq skip=2 tokens=2,*" %%A IN ("%TEMP%\_envset.tmp") do (.. echo/set "%~3=%%B".. ).. goto :EOF....:: Get a list of environment variables from registry..:GetRegEnv.. "%WinDir%\System32\Reg" QUERY "%~1" > "%TEMP%\_envget.tmp".. for /f "usebackq skip=2" %%A IN ("%TEMP%\_envget.tmp") do (

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):136704
                                                                                                      Entropy (8bit):5.174853806484254
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:ED98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:Y9GpKbShcHUa
                                                                                                      MD5:DDD072DBD2267BCB3081340E57ED092B
                                                                                                      SHA1:04EC398A1DE53DC960A882363A528E162350C57C
                                                                                                      SHA-256:460F604144DD93A3794F75C9E09B2676D7AD1295CD92499FAD80ED3C27990F02
                                                                                                      SHA-512:2271C5846254EAA7389D23EE0241814D06D34257A7B6D44FE7CBEA14F3ACA5101457FAD934B22D2B9B49F1263BCB4209D8EADC07DB93E2B5E01CCDA5BD6ED2A8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)$/b.................D...........c... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....C... ...D.................. ..`.rsrc...X............F..............@..@.reloc.......`......................@..B.................c......H....... ...x5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):137216
                                                                                                      Entropy (8bit):5.162895637606263
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:KMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:K59OpKgShcHUa
                                                                                                      MD5:0BCC21AC34291B167EC4D73079EAE085
                                                                                                      SHA1:BAEF2A7349E2C6269BBF2C8C6654C492683FC73E
                                                                                                      SHA-256:14288199533B10CAD97F5917447979BBC4685F20255AA073EC1BB828D3CF6A2C
                                                                                                      SHA-512:9B7CC423E4F27DFF6006425311A6CC39CBA9CB5D3D4966C81FDA21C5907A434B6A748A92B65229A01A65440D8BA2D87D9E8C99CE80E2062569232A10AE74F9BA
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*$/b.................F...........c... ........@.. ....................................@..................................c..W.......p....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...p............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):137216
                                                                                                      Entropy (8bit):5.162623164553414
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:1w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:C9UpK7ShcHUa
                                                                                                      MD5:55CC3EA23C5430BE7B5A75A52157DA18
                                                                                                      SHA1:AB1D482F2B5E7E0DAD31EA18B78D5F8EA849B87D
                                                                                                      SHA-256:BE0494DC91E38456E22692F3AB1891C56871FB82A83ADFDC58F8F890141ECEC9
                                                                                                      SHA-512:C09E0476E2D1F69A878195A4026954C5D74C0B5318254A60ABC5909F00A60CCE86D49D29BBF1ECAE498BCE0C2FD2551EFEF0FE287DAB7EAD2FE573CCC833CF3E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+$/b.................F...........d... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):137216
                                                                                                      Entropy (8bit):5.162059784215363
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:YE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:795pK7ShcHUa
                                                                                                      MD5:4E2DC776C653ADBEBCF5DB16AB53296E
                                                                                                      SHA1:290457CFC7EC45A493CCEACD2CA24A47237494C1
                                                                                                      SHA-256:2DCB2236BB84AE42F4395E72EC67A22CBE0E68ADA4F80FABD7141B5B3D4E7985
                                                                                                      SHA-512:533B424AFD7E5BF831BB72164D91B663A2368D458A3EFFFF7062A15D1AB77585C087FA5A5471D3530CCF30309AC30C35EAA4A9168A350071A64E912E15012311
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):137216
                                                                                                      Entropy (8bit):5.162082250130723
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:GI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:l9QpKjShcHUa
                                                                                                      MD5:76385C4CF0842546103EDD75662BDAD7
                                                                                                      SHA1:BC42B5817E6BB3568CC6D7C0BD2B03E8B723024B
                                                                                                      SHA-256:67EB4084D0BD361C42FFD7AF025167BAFCE8496A35CA6616945E0942386C6424
                                                                                                      SHA-512:BAB9B5AE9B89697A7FA83D0D29A4DB0B777F126EEC8DF3BAE9B009AF9A0D556BB79BF2DCED1D26C7A8E900AC5AA7DDE07CEC334DA6418925F352554383F77EC2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):137216
                                                                                                      Entropy (8bit):5.163276282537277
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:pS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:pO9xpKbShcHUa
                                                                                                      MD5:5C9628C46256D0F6B14DE2168CBED8CC
                                                                                                      SHA1:B7284385B0076623B76EC3FB2398B5EE8F3B9F85
                                                                                                      SHA-256:354C3758A1F9E5A39E7292E9CCA353F815358977B3CC9A704BCEAB257AC6C24C
                                                                                                      SHA-512:84886CF1632EFA70D8023F99A663E809422DFCC1C566793EF52078551DA105BFF1B2F9D54E197D8CCE53C3C725226635D623D9D539B5BFD4C17C802286EFADB4
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../$/b.................F...........d... ........@.. ....................................@..................................c..W.......`....................`....................................................... ............... ..H............text...$D... ...F.................. ..`.rsrc...`............H..............@..@.reloc.......`......................@..B.................d......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):137216
                                                                                                      Entropy (8bit):5.162239721051707
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:TR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:F9/pKvShcHUa
                                                                                                      MD5:8783ED37D6871AE20E4A65A655788A7E
                                                                                                      SHA1:C42F5B032CF27FFC36869C22D5BE0363AC2E5AF4
                                                                                                      SHA-256:5AFEF49A1BB85ED16EE7EF08D9ED694F166A9500701728770E50E92978566C5B
                                                                                                      SHA-512:1FE424147DBAD7978F0C856D152F3236685C52DBCA5DD6AB7A03E5D1B8A08566FDF4574C4704FBEDF286A4C13B354D771E25D1B725D55578C14E9EAB2D8F9898
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0$/b.................F...........d... ........@.. ....................................@..................................c..W.......P....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...P............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe.ignore

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2
                                                                                                      Entropy (8bit):1.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:y:y
                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                      Malicious:false
                                                                                                      Preview:..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1167872
                                                                                                      Entropy (8bit):6.603432444128302
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:Gxb5vMX35l5UVrIdhcMEKWnttf7eePboHvVxSfOtl:GxbSz5UVrIdhnW1Pc96Otl
                                                                                                      MD5:0DCE103B0102ADEC3279797665B7A4AE
                                                                                                      SHA1:C121392BAB6DBA8D04BEE89C6B526E8E67650CC8
                                                                                                      SHA-256:3DB62076E5FCC897FF29DA47FE4029900A4AD696B395B6FA96ACFF1229444C1D
                                                                                                      SHA-512:20F0F02097694579AC8794D56411FBE2D97C47D37794CB52AFDABC9956C0452E8A3BB273ED34E463F31927E29E7E41C0FDDB82FBBE688DD39C4113C00EC91BC9
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(x.(x.(x.Gg.+x..d.!x.Gg.,x.Gg.*x..p..)x.(x.@x..p../x..^..x..^.*x.3.z..x....-x..~.)x..X.)x.Rich(x.........PE..L...`u.a...........!.........~.......>....................................................@.............................y.......d........{......................P.......................................................D............................text............................... ..`.rdata..............................@..@.data...............................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):513
                                                                                                      Entropy (8bit):4.971000586893018
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                      MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                      SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                      SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                      SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):331776
                                                                                                      Entropy (8bit):6.512244761259412
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:J5lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOjm:JMqzBDJkk2ERvT8MPAf/O6
                                                                                                      MD5:7187AE605F4DCE14BB23EA2623956335
                                                                                                      SHA1:F7C1DF33B875C98F41DCDE24117D89D42D25B7CE
                                                                                                      SHA-256:9E2631C19B243C28B0980607CED2540E9447B1166572483475547C1A9DD4AC0E
                                                                                                      SHA-512:F64522E2FB6BB61884FE53C34E79B355EFB9EC33C02B2CD67D729AF7D763E7B3873A5C7CE6AC7BB4567E6BCF8C70CADBC66F511E8BB151AB05096A832032BC8F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L...`u.a.....................<......<.............@..........................p............@.....................................x.... .......................0...2......................................................(............................text...r........................... ..`.rdata..b...........................@..@.data....'..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...<...0...>..................@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe.manifest

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):513
                                                                                                      Entropy (8bit):4.971000586893018
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                      MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                      SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                      SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                      SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1927
                                                                                                      Entropy (8bit):4.78095675693374
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:aCpXZHRo7dL53iEu+byAHsv7g6z0zBZfNP3VyFA:dlq7XTu+xCz0NxxVwA
                                                                                                      MD5:899A48828B85C4B0402EE7CF1F65B62B
                                                                                                      SHA1:73BA604E5A4E4EA6FB4AD23B8ADF3982B2C82D10
                                                                                                      SHA-256:20343526E04CE61EED2675282462E7080D305246F7807386621149C2025765D9
                                                                                                      SHA-512:EFD02998961261FFA64332EA13876906D55A8BD8209BF94F922D97889DDF1181129B6A08E5747F1C0A07E69CFC3A05E86D18AFC3E06325B51598F52360881B1B
                                                                                                      Malicious:false
                                                                                                      Preview: 7-Zip.. ~~~~~.. License for use and distribution.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.... 7-Zip Copyright (C) 1999-2016 Igor Pavlov..... Licenses for files are:.... 1) 7z.dll: GNU LGPL + unRAR restriction.. 2) All other files: GNU LGPL.... The GNU LGPL + unRAR restriction means that you must follow both .. GNU LGPL rules and unRAR restriction rules....... Note: .. You can use 7-Zip on any computer, including a computer in a commercial .. organization. You don't need to register or pay for 7-Zip....... GNU LGPL information.. --------------------.... This library is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This library is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABI

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):29184
                                                                                                      Entropy (8bit):5.423222213276874
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:02aUriLtuRZFwdpyTmNSHSBLVogO6QlRSO/:1r0ARZF6NFVogjQlRv/
                                                                                                      MD5:5CA71CBFF5A8DE7E5E30B6E94CD42069
                                                                                                      SHA1:991701A32492D743430627CBFBD56D6884C32588
                                                                                                      SHA-256:23FBD1EE66FCE6872E97B2FE84C409AB30A74FE8720B722BC6F8BAE6E7764C04
                                                                                                      SHA-512:77E31EC0DCA4E4895D3A4C0E84C6C1516D94089763F1735CAC150EFCD4EEC36107BB810E24D94C1208B7A80881D858DBFE887B32DA6F6D8F0C48F21C2525D0BE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.................f..........n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...te... ...f.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B................P.......H.......8<...H......u...........P ......................................h.Mk_F!..D........%..............O...T.....7..u#..[h..T]..^....u.2yC.n........}..?)K.?!@.....3k+.....{.u.@.!q....|....$..f.s!...}.....(".....}....*:.{......o....*2.{....o....*2.{....o....*2.{....o#...*2.{....o$...*..*6.{.....o%...*6.{.....o&...*:.{......o'...*6.{.....o(...*F.{....o)........*F.{....o)........*6.{.....o....*6.{.....o....*6.{.....o....*:.{......o....*6.{.....o....*6.{.....o....*..*"..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):150
                                                                                                      Entropy (8bit):4.731888600769331
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:vFWWMNHU8LdgCQcIMOofoObWNRXGws8FLu+gNlFueRObK4QIMOn:TMVBd1IGPKNxgUaNNu5W4QIT
                                                                                                      MD5:E9AD5DD7B32C44F8A241DE0E883D7733
                                                                                                      SHA1:034C69B120C514AD9ED83C7BAD32624560E4B464
                                                                                                      SHA-256:9B250C32CBEC90D2A61CB90055AC825D7A5F9A5923209CFD0625FCA09A908D0A
                                                                                                      SHA-512:BF5A6C477DC5DFEB85CA82D2AED72BD72ED990BEDCAF477AF0E8CAD9CDF3CFBEBDDC19FA69A054A65BC1AE55AAF8819ABCD9624A18A03310A20C80C116C99CC4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <enforceFIPSPolicy enabled="false"/>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):95
                                                                                                      Entropy (8bit):4.721635609555772
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:SZdFVJMXLreqXy1Wfardzl7BZyOX35++n:Sls/t+WfKj+OXV
                                                                                                      MD5:A10B78183254DA1214DD51A5ACE74BC0
                                                                                                      SHA1:5C9206F667D319E54DE8C9743A211D0E202F5311
                                                                                                      SHA-256:29472B6BE2F4E7134F09CC2FADF088CB87089853B383CA4AF29C19CC8DFC1A62
                                                                                                      SHA-512:CAE9F800DA290386DE37BB779909561B4EA4CC5042809E85236D029D9125B3A30F6981BC6B3C80B998F727C48EB322A8AD7F3B5FB36EA3F8C8DD717D4E8BE55E
                                                                                                      Malicious:false
                                                                                                      Preview:CheckSum is licensed as Apache v2 - https://raw.github.com/ferventcoder/checksum/master/LICENSE

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):565672
                                                                                                      Entropy (8bit):5.0581002983018335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:hjgGwLGK4Uk0Ycoi6DdP51S2XI5cgGlKFTvr5pgx1v9/oLUmP9nVy:h7wj4kYcopdPm2ac8+1vVmPHy
                                                                                                      MD5:F7B6AA803BE23C3192FCC2058D208F44
                                                                                                      SHA1:A9569D1A4948FD33D388BB263B5CFF0D66E3BB34
                                                                                                      SHA-256:D489923F1F91954B8AA15CD0E763132B9033780481D850D74395F5AB6E266C7C
                                                                                                      SHA-512:7FD6E1B291503AC9A67128BAC2D6C8F21B40CE9DE99E015866FC62C79CBBAFCD25F3F43A0EB77A00B20C1D6BE9504E85458D503647BF2CF93BC71DAFB64AF122
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./b.................x............... ........@.. ....................................@.................................(...W.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................d.......H.......LX...=......8........@..........................................z.(......}.....(/...o0...}....*..*...0..)........{......E............?...Z...|....................*..}..... .>-.}......}.....*..}......{.... Z...a}......}.....*..}..... ?w*.}......}.....*..}......{.... Z...a}......}.....*..}..... H...}......}.....*..}......{.... ...a}......}.....*..}..... L...}......}.....*..}..... ...F}......}.....*..}.....*.....{....*.s1...z.2.{.....i...*....0..<........{......3..{....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3758
                                                                                                      Entropy (8bit):4.882012677800436
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:wwVl/ldfbBaq9k4KM8da2J7LbyM71wKPC/:rVl/ldfsn4KM8daU7LP5wn/
                                                                                                      MD5:89AC7C94D1013F7B3E32215A3DB41731
                                                                                                      SHA1:1511376E8A74A28D15BB62A75713754E650C8A8D
                                                                                                      SHA-256:D4D2EF2C520EC3E4ECFF52C867EBD28E357900E0328BB4173CB46996DED353F4
                                                                                                      SHA-512:9BA2B0029E84DE81FFEF19B4B17A6D29EE652049BB3152372F504A06121A944AC1A2B1B57C6B0447979D5DE9A931186FEF9BD0667D5358D3C9CB29B817533792
                                                                                                      Malicious:false
                                                                                                      Preview:Shim Generator - shimgen.exe..Copyright (C) 2017 - Present Chocolatey Software, Inc ("CHOCOLATEY")..Copyright (C) 2013 - 2017 RealDimensions Software, LLC ("RDS")..===================================================================..Grant of License..===================================================================..ATTENTION: Shim Generator ("shimgen.exe") is a closed source application with..a proprietary license and its use is strictly limited to the terms of this ..license agreement.....RealDimensions Software, LLC ("RDS") grants Chocolatey Software, Inc a revocable, ..non-exclusive license to distribute and use shimgen.exe with the official ..Chocolatey client (https://chocolatey.org). This license file must be stored in ..Chocolatey source next to shimgen.exe and distributed with every copy of ..shimgen.exe. The distribution or use of shimgen.exe outside of these terms ..without the express written permission of RDS is strictly prohibited.....While the source for shimgen.exe is

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):342355
                                                                                                      Entropy (8bit):7.999222579004313
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:fLe4N0t70oZhKySScszMVqdFYU6cm5w8rsKYIGXNAYpCvMgZ33c6Mg3rRSw:fLe4470+hKyJFzKqctcm5pluXWJvMg5t
                                                                                                      MD5:E27812C62B44D50108046AED9727CA73
                                                                                                      SHA1:8B8B8B6D7408F90276D316C6EE87C8C3D4709D60
                                                                                                      SHA-256:9EBC30153A86EED1F8785709B941B6141AEA67F7E2483CBF2ABBEE556E873203
                                                                                                      SHA-512:89636345624539C81394694F3ACFC308ED97A5331ABF1035E4AC983DBAC18414151D6346171CA7FB0FECD1A53F16E0A7B66CEAAF9736C30475B1CE98A0D2D402
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......C.Y.#-.........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0........n.......{$..U>...M..._..R5|..S.-,.8..VR.....l..y(.#...W:.'iX.. .......p......iT]D'...O.v@.Z5.**..?.b..i..v...{....oC*.UFOG.k.Z.Z.....*.m..fN..B.....yY.#d.z|#.-.DF.T..G...._EV4>/0.2..].....r....Z. ...!$a.L...r../.L...|.........|W......SE....i..^....'G.."Jv....D\..6.....z.nX........*u.J.!L[W.~..fzH.A....R........3...1B..^........Xi.N...h)..r.`..Q...6.....b{.0(.m.....3i.F.....=.!.6{....u.......n..y.\g.'.P......aKc.M...}(.....+D.Egb$s`(.l(..>...VOn. =......".....6...Z)}W{.,.:0vl.[K.i.Fw>....=.I.Y...:ksU...f.>I<...iP.N.......P.."ww[Cd.OORJ".f./B.u?..l.2h.t1.......<}....(E.\a..9.~TS..t..60i.{..a...........8.z.N74....m.rb.h.3.6bc.H.9p..SE...B..a........Q,..v...Q..}....._Q>'7.jV..CI!3..).NzKF..$.EX..o.d.../.".$".1.....g.v...?.~.n..p......# ..re..9.E..b...w.'..]._...7-.J2wB..%.....-|.u..w.].Ya.B..9......-..J.P.>v1..i.i..B.g..oF.d...a...D..#'...o<..P.....+....._..v

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.480932323340301
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:SpfpyM3uykm7XvXiJQd9Sy2pJoUvAfuc7HxeX:062T2co
                                                                                                      MD5:00A4D22D776D110ADCC63F0C567131C6
                                                                                                      SHA1:88EBB71C2DDB4733F10107B35AAAA3FBCFA52473
                                                                                                      SHA-256:01DC7B7F54222FA9494BB76A61D81A793A232A39AB2C07E2F0BD12152441F5C0
                                                                                                      SHA-512:B80264CF36B749985E3F03FFB5BC47C07342BEA27D547AEED28999D0D6E4F9A207DFBFB0DD2806D5F483A857EA9076A07BF51EE6D87144B6FB4347A829E5DE78
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............B.... ... ....@.. .......................`............`.....................................O.... ..P...............0(...@....................................................... ............... ..H............text...H.... ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B................$.......H........C..L............................................................0..........(....9....(....~6...%-.&~5.....z...s....%.6...(...+~7...%-.&~5.....{...s....%.7...(...+~8...%-.&~5.....|...s....%.8...(...+~9...%-.&~5.....}...s....%.9...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0..r....... ....(......i./.*...............&.........6...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):541
                                                                                                      Entropy (8bit):5.097123194334321
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                      MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                      SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                      SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                      SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.418295834054489
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhXXLUn:WBXgn
                                                                                                      MD5:D97129F80E5F51DF4BC807C70026AFD1
                                                                                                      SHA1:B83B2AF5910230202F77D5665A1529143191C1FB
                                                                                                      SHA-256:815491D276BAA5B6E48C5CB43A85F777B7308BA791CE354F4EFB0DF936F314C1
                                                                                                      SHA-512:C730BFF87F8CA8EE7A78ADCEE7A3EE87BE308DB3212535CECF067B7FCABCEB7B558CD5E0737D12C95C86BA862A43D95F21CC82C1FD423C1DAFF246129B46C853
                                                                                                      Malicious:false
                                                                                                      Preview:version=22.1

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96816
                                                                                                      Entropy (8bit):6.1807776376128585
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:5Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwU:5QUm2H5KTfOLgxFJjE50vksVUfPvCl
                                                                                                      MD5:4DAA19F0B5C29DDDAC45AD19C63E8D6B
                                                                                                      SHA1:EA97E4FDC567CE6EC439E11533CB7E1668B82E8E
                                                                                                      SHA-256:F71FBE9D385D713F2833798A5141F3A74C6261980E64C5E59E1DB81C520F73D8
                                                                                                      SHA-512:2BABB207DF5D6A9391646906E6FB52ABC6644F14B846FD3B47C8D793B6EC236BDE3872A958DF63EDAC201280919D4A7F7C129313E9B1711285456508DC35D517
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................e.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960797168894863
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:kBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUw:kBjk38WuBcAbwoA/BkjSHXP36RMGF
                                                                                                      MD5:DEB13F3C39F77E4D6CEF5D7A53165178
                                                                                                      SHA1:07970FCFFE5D4CCE3DABA1305011573F3744492C
                                                                                                      SHA-256:4DD53ACB2324704EDC4125AB72F4C235780B8480F77EA084FA53CB57E0346EEB
                                                                                                      SHA-512:8C96E007DC027E5359819C85CD8A349333462919D988F82E4F4787F37BB49BD499E432EBE03A79E75E74118FEBAEBE430C2B2CC4E8029D2E9F796C77CB5F56D6
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......e.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):637958
                                                                                                      Entropy (8bit):7.999354686674398
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:12288:HVd5b8dhfpvZ3U9ygocoFAdF4r0el92pBW/wFIlzxDFBLXJ:HFbyhfVsySoKdF6D2pswmlpXd
                                                                                                      MD5:767D5DD4AD2D6A3E0FF3E45DB47A9657
                                                                                                      SHA1:982A2AF2C94AE33CFB240A30A1C6433E5E5689DF
                                                                                                      SHA-256:156218F309CAF003096CB28C2FFCD74A0989E4FD0207E485A3292A4D8D1C48ED
                                                                                                      SHA-512:E8104B3622BF07059131F3F0A8DC9EA44C7B0E32213F534AEAE229F000B01425B72955197DC776F1B5750FAE2BEAAE888A2EA1D62B1630D3FC5D79B4C57317D2
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......5.X..j.........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....0........j.........)+{rh....k_....z.OZ..@bN...#....<...-...H\.\...>.w. .%.3@..x.......L].HQ..<b.. u k..<..;Q.Cc..~...D...f.."Ma.....1&6...Q...&.o.X...r..1.E.I.:.N.g>_.d1.v....a.Q%..vr.d.q.&....w.6.|......h.'o.f.9GV.g .ac.u.Y.o.......sw......*/`.._h....v...0....C.z.."vU@..m.....i...,....-.x....N.,.36`.#k/h......=.`...H...]....&.....6F....wNH.......W,.[?.<;n..J.i....xX...~(..kqV:Z.k.U.$U...h.v..".....Vx....F.[z.....j.._8.M^).E0.D.........B .\0H..v..p.-9..'...Y...=.[....ja{`..*&......9:....C.....sz+|..JQ.../....D?./y..`)T.%.......<nc..w#.......7t.#...A...>t....@..!A45Y2....Y.......38..c..sR......E...7....\.....I..M.....V..IXG=.a..}..H...r..eF......>.{.FFM.A.bm.!b......-.....Wk..z..P..An...D.M]RN...I.).h....].AU\.6d..u.;-..7....g.*....M..[.?..%....d..wZm0#...=......d".Eu......5.>.....$..b..n..V{...a..$..l..|....~:.s....H."....K.lK.y.|..ga.0f.C.."AQCu_.......?N....K..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51248
                                                                                                      Entropy (8bit):6.297269575035048
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:MNb66jeKAdzF2a11sxKN/NEQDg8vM2j7HxqW:MQ6jeKAd5b1S2/NPBU2jR
                                                                                                      MD5:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                      SHA1:3F78C454CC72D4C5B2A0F295530391904EC87948
                                                                                                      SHA-256:50F399A3867DEAB18530F8F3E72D489A15F62D6E250F4F795C7BB735F9522899
                                                                                                      SHA-512:D57C6A799C01A3F67AFB3DDEDDDBD49ECFC17C2347BEC24ED85207A846547F6288D2023961EDCAB67DFC512E0B1DA187C475A7D01BB1005A61D337EC4FEA0FE0
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.........."...0.............~.... ........@.. ....................................`.................................,...O.......`...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................`.......H.......pB...p...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):973
                                                                                                      Entropy (8bit):5.01886272205883
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdsVPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3s77O7Rgdsg+w3Sg+78w
                                                                                                      MD5:3CCA9B00717A374829CA50C82C1E70CF
                                                                                                      SHA1:357729D1CBFA36318D8A91BDC8C039E254A7CAA2
                                                                                                      SHA-256:4161C6070CDBCB94718A6E76931AE38CABEBB70E5B00C55E799E72E61F0ECAEC
                                                                                                      SHA-512:C172CF13115FC724799C50218F00A1055FA84DEC6B9FA28F7C981DE94D4DE64CDC7797E903D4E8B87CA2FAC535B62EB395E372656183C75F42E7086598C3C435
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhXTLd:WBTp
                                                                                                      MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                      SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                      SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                      SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                      Malicious:false
                                                                                                      Preview:version=26.8

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):102448
                                                                                                      Entropy (8bit):6.190977882973481
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:VPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxo:V2bYbYSWd85I5sSakFQhHL8i
                                                                                                      MD5:6C0E7E9151E242E401EEBBC13558E3F5
                                                                                                      SHA1:9A5963712AD9E0F336A4749E7C258A67EF6260FA
                                                                                                      SHA-256:77D6B8CB94B6CF5B399704C3CD5877211D99FCCA58F94D120998FC41185D0E0F
                                                                                                      SHA-512:02E5E5FA52BDA5CFF5181196C6A62913FA87D6675CBA27FBFF3D0C50F305BA4CF8D9D8C4016EDC90AB1513BA39D89B50566BFF4D05585583EF03B8AA17BEA793
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16432
                                                                                                      Entropy (8bit):6.857474166817892
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:w9c52LPirPW94/DNyb8E9VF6IYinAM+oCOX3lq:w9cym2KEpYinAMxCg3c
                                                                                                      MD5:E1AA9E74F8E36783187BA548C26A1D95
                                                                                                      SHA1:52FD9D58877986DCDDBDC5C1DAC6825C5720A4F1
                                                                                                      SHA-256:CE46D831129B265740E521A614DE1F2BEE211F350FFC9643407C75308E1DBE06
                                                                                                      SHA-512:B2D79FD01D4D0BC3CCFFCD62ADD4BC45BB25561892CD23299163EDA10896249F53FD966015B7655C209B33EE413C10565D51861298061E3886B43E77E59ABDB2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............-... ...@....@.. ....................................`..................................,..O....@..................0(...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):542
                                                                                                      Entropy (8bit):5.041389931890446
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                      MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                      SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                      SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                      SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):398896
                                                                                                      Entropy (8bit):6.134467211026903
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:WjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:W+e55LgIkTmyAAfTnMLvH
                                                                                                      MD5:6C03B5CEC0E3BFF6410B020CAC7EC662
                                                                                                      SHA1:DE5C6B33A97BBF0B3063CF44DACE307FEB968BF6
                                                                                                      SHA-256:05C2739F2AFA9A05514CD75C12BE6C0CD73A8356A28B3FAF84140FEEE416F339
                                                                                                      SHA-512:06900ACBA446F813E8181E42A0713B5BBD568068960DD0620C4EDF0F3C096E4C8B409181AC8FC51A24F638E37F908B6212E22DB3799107B51578B6853A8E60C0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......u.....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960755198774021
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:eBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:eBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                      MD5:FA365D16F9EB02769CE0ACF75C31C832
                                                                                                      SHA1:F83D3F502E92DAD01574D16FDE5E7CA81C53A5DB
                                                                                                      SHA-256:63A690F6523922CB55B065764ABA61BE69F11AA93C8437C01485BCC4AC182F46
                                                                                                      SHA-512:E26E077C0C5806B3D4E1ABBB06087D08921CF6A46FA700343AA373213180BF9EABD7822CE418E24973909A515BA5B73DD0902402020E5A4AC56D387E378C4AD8
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......n.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):18480
                                                                                                      Entropy (8bit):6.708180254980656
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:1qPstMu7M72kNyb8E9VF6IYinAM+oCiSFDKJup:1vMuo7/EpYinAMxCbeup
                                                                                                      MD5:C9A5D57AF074418532A591B4443AD16F
                                                                                                      SHA1:4F99922845AF05C64B36BC71FD34468683B389D6
                                                                                                      SHA-256:322D41E1890A28359ED05AC7C3973C2CA3532CB77F8D0646B982A76FE0A68EE0
                                                                                                      SHA-512:461CCFF9F349E6F8BE27F50C54464CA65AEC23DF6C4DEFB5A4AB085F8239899CE88B2C0B2764020807826C92BB2F757DCF39733721595E80C2AAA5A75718D9B7
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............4... ...@....@.. ..............................8/....`.................................d4..O....@............... ..0(...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):500
                                                                                                      Entropy (8bit):5.044946190927216
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGp2VOD9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsHPF7NhOXrRH2/d9y
                                                                                                      MD5:5EF8C402347FEC5555700DB9D649C349
                                                                                                      SHA1:2E70D02943060011AF38D9200B3461206F56933D
                                                                                                      SHA-256:718459DA91EB82BD0ED8AD24CC3EABFCA61D1B5C1D9060111F85CC7D84BADCCA
                                                                                                      SHA-512:F2650D2C604459E674810BDA95C37D3FE7747CF67B5736C4275DA91576B36F3FF882FD3F8A5F0591CDF335E935DB716BE827821333297F719C26B1152BCB4D6F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22064
                                                                                                      Entropy (8bit):6.676917265704932
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpodH3T:tuhMaVmzDC67EpYinAMxCWH3T
                                                                                                      MD5:F2016790A63364276B5DE090FF0D9516
                                                                                                      SHA1:C99BDCCD05A8813E6DEECCDFA0FD675FDC57A488
                                                                                                      SHA-256:662DC69A05611BEA25F993F4D249C83340C2F468E9564CA625027A1EA9C84E9A
                                                                                                      SHA-512:41CBB8D586AEACC6E9C156561A4C92EF30C3D50B8D4A91C2A0A41E186891C61776E102AC5DEB95A854C2241734A854320B49A0E0A05F20ECBCDB8A0F7E55980E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................\....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64048
                                                                                                      Entropy (8bit):6.268502105017609
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:BYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1JEpYinAMxC7z1:BKC9niwOepJ6TJPeb6NIUy7HxUz1
                                                                                                      MD5:9B1EA8A460CDBE957FD464E52CB74F9C
                                                                                                      SHA1:34574DE2F45BDA8A68F49C031A80476D6E6B711F
                                                                                                      SHA-256:41046ADC0E23A6A673C6DDD890C4B43F21A615D470886D59FC436B09B994E7A8
                                                                                                      SHA-512:A99E6C7829C4B6994E8AFDB4538DD8954DCFF96F2C59D62FFC91DA2E833F777F870A2F55A60CADBBED97ABA0F6411D6D40DE33D295491B2AEB45CDC51D485003
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......*.....`.................................k...O....... ...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138288
                                                                                                      Entropy (8bit):6.17978189203311
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:2P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlU:2h0qjC5RMOHO420kN1P
                                                                                                      MD5:8D61BFC6E305850F082B2A4FAED267B8
                                                                                                      SHA1:543224920E68C0C7B28C9411ECE8B9F8EAFA7DE3
                                                                                                      SHA-256:B7EF8E721E39ACE9C8C4B4C4490AE5042634637D24DB4A70AF33D29DC4EC5C10
                                                                                                      SHA-512:6AA0C22B6CBD1942AD74386919D8E4F0F69FF47FC97103BDAD3FE029E9137C51DAC70CDB84275AE779965E461BC992DE96028B92A3DB8F0D26B8B53A547CA09E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......t.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.63676850357766
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:7TO9dQWXYW8aVNyb8E9VF6IYinAM+oCJF08IoP:7Cn6CEpYinAMxCk8jP
                                                                                                      MD5:F6E07CB084C3B287E2D2525A597A4D0C
                                                                                                      SHA1:E9191698963EA0613747BC24842DF8C37E6FBE84
                                                                                                      SHA-256:D24366C19E9DFE77B7EA94546F336F20CF8F574F838F68EBB2179C6CBFE4F25A
                                                                                                      SHA-512:5AC38F55D0045BFDB9951154E87ED30E98B200C148897E7BD3C19BEFDA634437A1EC5AA2088CE99F0E17644069EEA93E97AE1DA00DB5746C4784228FE35E1725
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3209582
                                                                                                      Entropy (8bit):7.999885821468103
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:98304:mYT7qppkQy3jVGaPu4pyK6DrwirLgYf/K65Ffa:QprpwHQ/JC6jfa
                                                                                                      MD5:0E076C0A015D1F9C35BF5ED608CFCF12
                                                                                                      SHA1:33C40BDCAD135469A7FF3CFEE203181153189222
                                                                                                      SHA-256:0F36BBD5AE45683A37A3962941BDD0DA9F278A6BEAF87AC8F8091C6F85157A8E
                                                                                                      SHA-512:A3FDB8122208EA4FD629F0DEE8F4F6286A08DF8F7BD567645734C85C035E6C5EF846E4D163378742D4B325987369920C65A23E0D60AE0626CAE48ADAA4EEECFA
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-......^.Y.M........../...AgentPackageTicketing/AgentPackageTicketing.exe....0........H........_a"...+>5$..E.7s.. .d..Y.................[.R9.0........N...=...@...^F.....-)l#.".~...Q.....\`.]v.......6..f.8@.......D.n.~Z.7..j..>.03.xv..>..A,LG....f.F. ......5Pa?...03.Z.}...k).......8.{/...r.m..E...%..[.I..;.-....q.%]..f\.Y.............N9.gQ....x,..)....c...........S..)6v.Z~....RF......q.Z.C.(.6d...,.B.d...h.{W..w.Q+Z./.,Z..Z..\..$.!.\Q.u.L..-a..x-..:.=?......~.A0t^8....[x.o.R....J^...h..X.Q_...>./=.l..@J..ER.u..%^S.M .v...D...n.+.'L.....&..n>.u..@.z..K.^..V.'.......w].....4...5...]F........a...#C.}...O.8..*vj...t..cO..rl(.T..i.....6..^..m.....5F....H...U..2w....l%J.......y3.PG......U^UmE.*N'.Y.0...Cq>....\..z../....:.Na...Svf....."YDa~.,.._.F..be....{.....V...1i...n...q..ge.X!.-.A.....X..Q.I....62...x.T,..G.....x...q.t.......JH...Y.!.._.9..".Ff.ua.L.a...4..^....u.B.o....[..^..hozX.......k.C.....l......j...#1.J.....$......_./K.......V....<..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):33328
                                                                                                      Entropy (8bit):6.282134223933925
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:l7MUZ7pWikfoGh5yd1pjJpO6HRjBMlYCENyb8E9VF6IYinAM+oCVXF9:yUZlF++VFNByYCkEpYinAMxCJP
                                                                                                      MD5:1EB3651F13B9CFC3D055419FD7E51BF0
                                                                                                      SHA1:ABB29CA7B52A3732FA72B1DB4FFE5D24DCE2204A
                                                                                                      SHA-256:CEDFC67FD7A2D7F81241BFCE8770FC8685D32E208A08AABCB1760613A637D65B
                                                                                                      SHA-512:2B72959A0E315CEC376F4BCBCC713C7F1131EB464D53FC7EC36FB5C35E88F50B9008B8DD99644791D0942C78B4B52918655EA8A3CBDB25DE534D778F8CBB346D
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t1.f.........."...0..N..........Jl... ........@.. ..............................A.....`..................................k..O.......4............Z..0(...........j............................................... ............... ..H............text...PL... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................,l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..t.......(.....(%...(....,.*(....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1062
                                                                                                      Entropy (8bit):5.04288182607063
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:3sIk7O7RgdjdgFSagFw
                                                                                                      MD5:D82D26318224097C2B13F43E879DA855
                                                                                                      SHA1:4626369E38B4505371D1376FB9A50B401B21A7E3
                                                                                                      SHA-256:1BE14A97E8F1FFC962C060B76FFAC47298D02680F235097CABF378EDB3EA34D6
                                                                                                      SHA-512:5E3B09D12E5FEFB6B82DB7E19A3D856D02C683B211F18CEBABC0A6FBEA9B3E84BCFAF414C7DF043F986F78A85DB8A22D4584DCAEBE59CDC0A527D7636B31886A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.418295834054489
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhXdLXn:WBdj
                                                                                                      MD5:C2FFE395A4BA7255C274F9BC8143BB5A
                                                                                                      SHA1:4A51946866C226A26B0B1BDC52C23F95B3CA414F
                                                                                                      SHA-256:C5C3F526589EDB0F9285DE34F13893B7A704EA5B93DBB8430C086867BE9C4D3C
                                                                                                      SHA-512:2CE60DD77BA2210E27BE78EE73207400B3E5078C85017A460E8E0A64BCF1E165E15B4D8B96C8ABA01B5CB661FC3781B735A327040146E291A290B4FFBB2B7798
                                                                                                      Malicious:false
                                                                                                      Preview:version=28.2

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):99376
                                                                                                      Entropy (8bit):6.189117557062166
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:DlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hx95:DoESpOPptPkW5ihaOdQhfhBJ
                                                                                                      MD5:3A9175AD769D52B6AC5BC914D5A14706
                                                                                                      SHA1:067DAF8C5929A0A5A1370A7CEF27C3C5353C4EFE
                                                                                                      SHA-256:93D40DCEEACF2CE1E34F9F23DCD622A54C1E3A2B6F87BFC3A9E6AB366C430343
                                                                                                      SHA-512:BD9DDE88F2E46F0EBE8C5C85B9A4B289655A4DC3CBEA8303869F2C4DA5EB4D69BFAF5EBC5666371BF90227E974C5BCC70AF7844E207C00BCACAD60A24B2ECC6A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ..............................Gn....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):145456
                                                                                                      Entropy (8bit):6.203607839046975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:BRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIh4:39XeDmzV2yzlhKLFU1lLVp1+2flYFsvR
                                                                                                      MD5:E38C881D1464650E1834D5A983537C9D
                                                                                                      SHA1:F47AEB4417E11F706DAB036B7B6567DC2CA2D350
                                                                                                      SHA-256:8E50429E4016C751B2628EA7CB8C3B824894B8FF99315C481DF9076E21571F7A
                                                                                                      SHA-512:5A226D613D13AB39FBF8FFDFB77909BBB352C758181F18291DFF16DA0A0FA892C49AC3A5396DEEB4BFBFDC4766BF207EC142FB918EC18953D732265C3D303126
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................R.....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):29232
                                                                                                      Entropy (8bit):6.673153419184804
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:YmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF61Nyb8E9VF6X:0SJh5tIYQzT5zyF6REpYinAMxC2i
                                                                                                      MD5:D2EC19E81C393064B8E6603829731B55
                                                                                                      SHA1:DC11DFD8E7387B1ADFCE37195EC028CECF117C3B
                                                                                                      SHA-256:967F94E3F9337C3E4E91291472F55F30D90A21680471BB14C5DD0ADF487ED214
                                                                                                      SHA-512:7AB8464BC39EB4344570EB46DCF77B76E462A5ABCA84B63BECF8827BCB005550C66CA56A7FA59CBE455635569D43481BF1F8F15660D446147182093A318C165B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ....................................@..................................`..S....................J..0(........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):219184
                                                                                                      Entropy (8bit):6.0632759727462195
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:hYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlf:hYqqbe2CSod5dtM8ww7P7
                                                                                                      MD5:D49764A8600D87CA5CD10370388BD696
                                                                                                      SHA1:A58F52527490E004C2CE933C01280CE31372958C
                                                                                                      SHA-256:5B0E2A86A7738283D0F849E143D8592DB60902EFA3612A7213030517EE4F6F82
                                                                                                      SHA-512:696E0767AFB2A8C7F67DF10AA75F10D7A46CEB56FB68103A83C24A5D8ACEF5FB6A02049F128613D832ABFEEE5224283AD15C1C62043809218B6953155A98DC1D
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ....................................@.................................dF..W....`...............0..0(........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):320048
                                                                                                      Entropy (8bit):7.048379732590212
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:bkm5mx115y505H0jIfJMSFk9X0jIfJMSFk9x:4YwJMykwwJMykx
                                                                                                      MD5:1B2398AC75EC999551F210EE25E73D80
                                                                                                      SHA1:B06D53E70C8D615929B7FD5046D9AD169348596E
                                                                                                      SHA-256:D418A54E0A0F328142E535F9A8059A4231A4221B893D972A33BF19BBE3D606CA
                                                                                                      SHA-512:3D4B88C72C23053FD87B0523920EBBDAE2389AABDF0D4D3E1DC84B859690656E81EA6FF24E6E39B5BD7432311FFE671100917E564DE2886B4EA4E060C1144713
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............j.... ........... ....................... ......U`....`.....................................O.......................0(..........p...8............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................K.......H.......pd.............. ...P...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.sA...s....%.o ...%.o!...(8...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..w...(*.....w.....(+......&...*.*..........//..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):432
                                                                                                      Entropy (8bit):5.0141792226861375
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                      MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                      SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                      SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                      SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215088
                                                                                                      Entropy (8bit):6.030752183708582
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:61uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sv:lIzm6pOIgvr7m
                                                                                                      MD5:E7D063B516461FA20708685B36587C24
                                                                                                      SHA1:316E0AC63DCF4BDC05B95BC2869AF251D6F5E4A1
                                                                                                      SHA-256:B5A42D67662DEBD7439508349C8EAF890751A7FA518F96D06A367DD84B72F5EF
                                                                                                      SHA-512:60F3EA915FFEA396615D0367FB7BE006FDD9DE0BC6CD88EBD0859557DE3CF108E70C6E9DC5469F52AE639A0D4C91F40242E10BFF593D218D72C268F0CF31CF5C
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):398896
                                                                                                      Entropy (8bit):6.134299339779951
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:ljS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvV:l+e55LgIkTmyAAfTnMLvV
                                                                                                      MD5:89CAB330345D19AEE94333317B641305
                                                                                                      SHA1:2617ECCB48859CF8EE84B6355351CE7726FC2133
                                                                                                      SHA-256:EB8C2915FDFE090607B2FD0637B2E73717019408BA6F577939659B118F8E485D
                                                                                                      SHA-512:5E72059E1E36529BD004D48D56D65C626A885413601610C74E858F3CCE073AD9A03E45E055E1E62F4B0EBD194C12257DF6375C402CE9B5B194F42B1C8A55DC80
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960800163691142
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:FBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU5:FBjk38WuBcAbwoA/BkjSHXP36RMGI
                                                                                                      MD5:B6AE9974A69D921763BC32A8B5AEC8D9
                                                                                                      SHA1:4AEF0FA7A0936871005D5E0C7CCC1501123BE285
                                                                                                      SHA-256:9D07B0955E2CB803DC55952D6969C40A9498358A0926577F1C1F8DFAC6729966
                                                                                                      SHA-512:3D646921072564364ED35DC065750110E303D9F50476A8D457ADE6ECBC4EE57CF2A46242D633545DC72E1E0EFD34589581B8C699932475DC91480076931FE81E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......\.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):154672
                                                                                                      Entropy (8bit):5.990920439412128
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:N4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otck7h:N4wZywKn/U5xEwKIk0WPh
                                                                                                      MD5:27E53A2322C363CE163DC08BDA5847C1
                                                                                                      SHA1:DD738D980470DD7A7491A4D2934D667B1BFFD1D2
                                                                                                      SHA-256:CEC3910D0EAD3F1E759449AAC5A3139E2053964136F863A8AFD58FF4213A7A41
                                                                                                      SHA-512:DF87F87213E062A8210759D5E60D6FEF8A4C7B237081351EC81988C6CE2073C8CFD202B40ED759B4A62F830EAB1E8ABEB656734D444D03247B70BF42BD39573F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................<.....@..................................%..O....`...............4..0(...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22064
                                                                                                      Entropy (8bit):6.671072837354353
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:vrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAmx:vrMcXP6gEpYinAMxCD
                                                                                                      MD5:2BA71C896B6FF633B4B5F41FF6924B1F
                                                                                                      SHA1:0DC25A378BB9E94010262239346C417A896C0DC5
                                                                                                      SHA-256:B8BDEE72A436A698C7F6D4BF524BDC4F689E9B4AB6296BB67EE95DC88E8CEA0C
                                                                                                      SHA-512:FC993028523659CADB4204AB38FC5961490ED27FA4FE9FB8051403B18E0DAD4E471C4698DAA193633F178848F2C43AC75A054B223E741343F0E03FD7A8435494
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................!k....@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):420400
                                                                                                      Entropy (8bit):6.109698545052421
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:S5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFt:SpjblhW1N
                                                                                                      MD5:F60DD190BE421049E9783FFE4E11C751
                                                                                                      SHA1:3698AAB28B827850CC2E9A92AF48D96288713814
                                                                                                      SHA-256:176E6E58FAE82EE57538399D4482206065215B420602FCDD5B3FC2AD23E7BA93
                                                                                                      SHA-512:0965B2BCC83F19D43A0FF1A9E5719AA112BB233F4FE6B16E171B6C8B7EC833CDD10724346CD427EB74E20166EC8C002AD5E0D4244FD2F637D7A9C47E1A8EBF19
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ..............................+.....`..................................T..O....`..p............B..0(..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):142384
                                                                                                      Entropy (8bit):6.161829681988026
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:6UGrszKKLBFa9DvrJGeesIf3afNs2AldfIQy:NBFd3/aFs2n
                                                                                                      MD5:588827F33A62E902C04EA7FB95D9F84D
                                                                                                      SHA1:31D4D3C65146B942A3BC8F293706EBEEFEE908B3
                                                                                                      SHA-256:A29480DF6D93ED6C7F0270AEC505CFEE40C349D6455FEBBC83776A4803A2E45C
                                                                                                      SHA-512:A4E1539257536889B9365C2FC5FFEFAB6A7D59022CBF45A72BEF5ADFF0D8395C025B304D2F8E97DB5A6A30C7187388335D3EC512D88325125A1FB7188E0CB243
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):110128
                                                                                                      Entropy (8bit):5.511597837451873
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:FPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7HxR:FWw0SUUKBM8aOUiiGw7qa9tK/iP
                                                                                                      MD5:146213EC7725102C18D84FC0EDC98195
                                                                                                      SHA1:ACF2FF3B1149647A7461DAAD5425792C2606DDAC
                                                                                                      SHA-256:9699401EA7DCFD8CB75C62D7F91E96711E7A984D971EBD5E64106D47249C39BF
                                                                                                      SHA-512:ACCCA66B2245B9A421B54B7C40992BEC79125F498ED50693C4B099AB69A1224B6BECB71D682781F62CE190C9D78F9AC582B2C2E4528B33FA07C114827712D221
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................M.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17968
                                                                                                      Entropy (8bit):6.672325153709117
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Eh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBKM:Ey9eEpYinAMxCAn
                                                                                                      MD5:D6703D48950B4DCD7CEDACD676B7A714
                                                                                                      SHA1:2A75183B9680A4DE01356D9A02D869F094AE84BE
                                                                                                      SHA-256:A5A8DE384BEAF0C1C4C6BBF045BCA06F584E079D0A0C33D153CA397722D68A4F
                                                                                                      SHA-512:C87151EF8913A36E359C19A31910EC22D31EF298C93B3E0B02F47AAC7930126CB62D8727DEC96DF9411E534D90650EEA212AEFC67E889E165EAFDFF420784F1E
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................c....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):19504
                                                                                                      Entropy (8bit):6.524061004252665
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:wyPa16oAL4D+wW9IWmDIW4IWYDcNyb8E9VF6IYinAM+oCFbZ:wWs6oqDjADKeD8EpYinAMxC/
                                                                                                      MD5:6A3B8D090D8206E941214FD379C1AE16
                                                                                                      SHA1:39A5FC15EAD808C8B9687B80927BD2E375E14E57
                                                                                                      SHA-256:90C837538F0AC5C5C725AD4F55F865756ACA80AE56CDC6BB47EBC97B2487AAB4
                                                                                                      SHA-512:DCB1639662096D7A152DEC9C6DED5A77FAEA1AA144186EE7CC8F7CF7FEC0E430656C021F38FE13B3634AE3EFCC16B6606045357B0737C2254CC44F71004EC835
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$..0(...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):42544
                                                                                                      Entropy (8bit):6.380743282886218
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:f9CYW62Pirf9Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3Upoztj+rNyb8E9VF6IYinP:f9Nf94GX7nwOa5VS2ozd+nEpYinAMxCG
                                                                                                      MD5:CA3B7F3359FE8F98AD1DC508A850E4A5
                                                                                                      SHA1:512BFB4FD468A46C21BF21E22B8974FFC5F4229F
                                                                                                      SHA-256:7D3CEC8073F1FCF61271C4EEEC7AFC9D270DF47EDC837BADBAAAF8EBC88E182F
                                                                                                      SHA-512:B33E0CB83F2F5AD79A54BC3C4AF5D3C193555763688425369853B6BA30C280F2976A956E6C69C6B49DE25E693EF5A8F891E8E5A336AEC3092218D6800C30DF66
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s1.f.........."...0..r..........&.... ........@.. .............................. .....`....................................O....................~..0(........................................................... ............... ..H............text...,p... ...r.................. ..`.rsrc................t..............@..@.reloc...............|..............@..B........................H........"..............\4..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,..(....*(....*....0..I.......s....s....%.o....%s ...%rm..pr...p...(....(!...o"...o#...($...o%.....&..*...........EE........r...po&...,'..o'......r...po(...,....o)....Yo*......*..0..........(+...o,...r...p(-...(......,...%.. .o/......i./..|s0......-...(.....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1547
                                                                                                      Entropy (8bit):5.008195800038022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                      MD5:029F543956E8B235A70112C77912150A
                                                                                                      SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                      SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                      SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):76848
                                                                                                      Entropy (8bit):6.053721432037672
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:aPGo8P6wlXZMw68BQE8yZRU4C2tnm67HxR:anQVlfx80RU4C2hm6T
                                                                                                      MD5:5DB2F9DE182F80DE43AF4EFBE8CEA9FD
                                                                                                      SHA1:7ABBD1D7A7459DF9777239255E7B22C6B07641A3
                                                                                                      SHA-256:A41759B18B37FA49B970709320E6B556F05150569B350A893C15E120344F89B6
                                                                                                      SHA-512:A7D3D45D0C3E3B4A1A0A31D671E0F8C1FEE6B5045ABA3F6E8EF8E1B28559BC3E620649F1B8ECD6E680363B9472E773B7421087A62BC7CD5270F6BBBE684EEE24
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v............" ..0.................. ... ....... .......................`............`.................................M...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........V...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.j...........io+.....(.........o,.........,...o'......*.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):953
                                                                                                      Entropy (8bit):4.9874198404771155
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                      MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                      SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                      SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                      SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):349232
                                                                                                      Entropy (8bit):2.8911332911002288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:fuwQVu5Sb/jb5/EH8VAynnnnnnnnnnnnnnnwt5Z:fu95cZ
                                                                                                      MD5:62A635E2DD6CE67A74999F57C9B0FC99
                                                                                                      SHA1:0CBDFB178BA890236F775373D696F41DB76C88E2
                                                                                                      SHA-256:10A632808FFE84C0C0A87E42EA4312FB7EE73C83C74BDCEF2CD07CCF1CF84EAE
                                                                                                      SHA-512:6336C499EC1E9997ED00A3D8E143B0795E215C55E38731826E643BE7C81688CAFEF9C9D07F2CC2380123886BA36096936FDFD4A53E11789D3EBF6BC58D23DD4B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s1.f.........."...0......d........... ........@.. ..............................C-....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..*.........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(.....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*.........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1547
                                                                                                      Entropy (8bit):5.008195800038022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                      MD5:029F543956E8B235A70112C77912150A
                                                                                                      SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                      SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                      SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):349232
                                                                                                      Entropy (8bit):2.8911332911002288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:fuwQVu5Sb/jb5/EH8VAynnnnnnnnnnnnnnnwt5Z:fu95cZ
                                                                                                      MD5:62A635E2DD6CE67A74999F57C9B0FC99
                                                                                                      SHA1:0CBDFB178BA890236F775373D696F41DB76C88E2
                                                                                                      SHA-256:10A632808FFE84C0C0A87E42EA4312FB7EE73C83C74BDCEF2CD07CCF1CF84EAE
                                                                                                      SHA-512:6336C499EC1E9997ED00A3D8E143B0795E215C55E38731826E643BE7C81688CAFEF9C9D07F2CC2380123886BA36096936FDFD4A53E11789D3EBF6BC58D23DD4B
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s1.f.........."...0......d........... ........@.. ..............................C-....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..*.........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(.....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*.........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1547
                                                                                                      Entropy (8bit):5.008195800038022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                      MD5:029F543956E8B235A70112C77912150A
                                                                                                      SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                      SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                      SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):59440
                                                                                                      Entropy (8bit):6.137270255428244
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:nXZF2u4+tuH4aPLEdUEaHLB2W0eUb16dk+CXdNTjRS8SeHiEpYinAMxCk2h:npF4OyX4d2LPibMBCzXRfSoj7HxOh
                                                                                                      MD5:29A44FCEE93634B8E9F69F82983ED7A7
                                                                                                      SHA1:1C833AF58028E9002A0C5487D27805F0DF5F3997
                                                                                                      SHA-256:E91859A43ED25E017046E9B0799BA48D13C41919248002EE9FC4E9E3D4CAD66C
                                                                                                      SHA-512:5DFB944FE0F50C4E430082A2A7EF467863D59C373A9C2E9D921551050E8607D3D5B1856D1B50DF58A60B7665C42180B1A88C46057508F38647369E5206CF8ECF
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ......L^....`.................................Q...O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X...}............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}D.....u....}C....{C...,........s....(....&+ms.......}F.....u....}E....{E...,........s....(....&+8s.........}H......u....}G.....{G...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1191
                                                                                                      Entropy (8bit):4.971943087661362
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                      MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                      SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                      SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                      SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):23088
                                                                                                      Entropy (8bit):6.501679088753368
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:TLOGTOwM15TRwLm6orgNyb8E9VF6IYinAM+oCyy8z:TnMTR0PaYEpYinAMxCQ
                                                                                                      MD5:3314D1B614F9EF304B4DC56192E120C7
                                                                                                      SHA1:E712FBEDAC8B9D9A0840C2E09EE48D2B394AEF0A
                                                                                                      SHA-256:E6A343AABE8924FA6D13FE34EB6E9F93611F186F0484D54AA22E87C371EE8511
                                                                                                      SHA-512:94B608FEA0411D406994BFEED76B99B503A02E57A928926DC88E472AADB41FFD93862945ED1636BE9B17F2C6203D65D7FA0E42FB44DD775916C3F217F2C390BD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...................................`..................................F..O....`..L............2..0(...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1817648
                                                                                                      Entropy (8bit):6.551384864904906
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:M9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPv:M9Nzm31PMov
                                                                                                      MD5:BE2AECFE72DFDA1E2FF05B279FCC9579
                                                                                                      SHA1:14E9A808A1C5EDD85EF4496A2C7B66188F652845
                                                                                                      SHA-256:C6D1DAB4431EAE651CA2FDD7A7FDA08F30B40AB4AB5621049808D9A311538CB8
                                                                                                      SHA-512:B7B566E359DFCD80221BFA8ABABA8D1424A49E36F10BD583C4D04D8FCE0E3491F31FF826C566DB4717EC8707F2EC8F7A6824C779A59ADF1CDEBC81B48D542F96
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ......................................................................`.................................................P...x................!......0(...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1436208
                                                                                                      Entropy (8bit):6.781393779521666
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:bs5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEs8:GlI+vIjE7mjOuKa8Riy+gvhaIn2+0X
                                                                                                      MD5:4E386DBAFF2E2EF643DBFE6C48EE4B60
                                                                                                      SHA1:AC8C6156BFE22EC653DB9AA63008BCE115BBAB37
                                                                                                      SHA-256:4CACEE80F5EAC5B689D4449DF1D35A4DA0248A4848F454B534763F67FA3265EA
                                                                                                      SHA-512:E140DAC25343C0EF5250C7778E9356AF842F6AD21C6262538B4AF90F8ADD7E10F3FBEB3B61093047A7FC534A42BE7E2C76084E110B4D86CABD8E5FD4836D9C71
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X......................................................`.....@.........................P...t.......x....`..................0(...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):582537
                                                                                                      Entropy (8bit):7.999529358280024
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:12288:jFWPADWqxzsjJ/91r5+50BxeCMJuzjFxI5RWV7ZK5j:E8WQzz50Bxel0jzZU
                                                                                                      MD5:8C3A8B04727329AE1B41873E81F360ED
                                                                                                      SHA1:EF4647DAB3A94EF49769FC35DED7C9DD2E506A8F
                                                                                                      SHA-256:EF5E5D94D5EACDCEDE92FB99FC3439EDD44FE53E352ABE058FBB46E43066AB6D
                                                                                                      SHA-512:A47D96A9C97C6C6A5972182C5797C0B1B6A15B9DC7017CFE7798061540C5C686426473BA502B2949D0AA16547D92758E735BCF8CDA1C09A0326B14479239A6BB
                                                                                                      Malicious:false
                                                                                                      Preview:PK..-.....!gqX..*........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........a......e......C..\....#U....w.R(..xp.sg..,.N....D...m..5T.ur@.....xt$..A.x......J!..9...32F3.:@1>(...{;..,R7w%..T,<..d..R.......m.....u>..F.G...+.`@|..v.VL....4..7..e.u..w[.6.;.g...Y.4.x.LZ3......~......2.cK{....h..0.]3.4i...[.z%.o..~/.....3.....1....i.L..Yy..C..=.......t../..W.R...z.2...%./..>.......~,..j...|.i...95.A.O.. .p.P.YD.(.Z...:5kh]....:z..J.q...rO..I.l..d.?f+7..E...Eu..o..w......l..&.)..I.K....%8.f...)F_u.8.d...U....K,@..}..PD!..M1.Xm.G...:...?i!A.R....rE....suo.....{sC..+.a.......d..4.qf.3%.v64.....P...I..O.7...8..h..........Z..N...+.I.t..^p.......B.p..@.".D.+..#7..lr.$...NX.n.........g...F..e.L;..NIE%.......`.....1...K.H_.Xm....=_IO.b..m....2.u...ho ........:Fs-{......v..'...0LgGvIi_...%..[i.8....r..<.L.4...=.@...kS"NK.R@"X...+..9..Z...".....@..8|<.z...N..../j.Ns={.......xd.G..#F8.ei . .e...s.g.....fW..y....U..#.d.........z..i..D.....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52272
                                                                                                      Entropy (8bit):5.836724024105667
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:ExCQ5h7KT77yxeqGLQOFfxicft9w56PzePEpYinAMxC6:ICQ5hGP7T3kSBft9w56P6o7Hxd
                                                                                                      MD5:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                      SHA1:0613CAB68FFB3903A18ED5F4967D52B4815D2499
                                                                                                      SHA-256:9FBC99E85F5FA709D0D21854D4FE1FD420C7DEC8EC1F7105BE74EEB282EFFC8C
                                                                                                      SHA-512:D0A27917F420968355AF04D572D597F83D8011A86E9C32546C0A7BE493556AE0618894DDA04CADC935A16264D7685823425D1E57F1A0873F0119A74664F88956
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._..e.........."...0.............6.... ........@.. ..............................Q.....`....................................O.......x...............0(........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......\M..Ph...........................................................0..Y........o.......+C......o......r...p.o....t%...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):535
                                                                                                      Entropy (8bit):5.076084597400077
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                      MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                      SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                      SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                      SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                      Malicious:true
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:WhXTLd:WBTp
                                                                                                      MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                      SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                      SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                      SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                      Malicious:false
                                                                                                      Preview:version=26.8

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96816
                                                                                                      Entropy (8bit):6.180127833270033
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ZJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw1:ZQUm2H5KTfOLgxFJjE50vksVUfPvCY
                                                                                                      MD5:F8FE512BC57CBF44998221FD3C5944F4
                                                                                                      SHA1:7AAC2422B394A66FDAFA69B63CFF174ACCA1C867
                                                                                                      SHA-256:5D8527636659FAFA79AEB46A6C235C9C302EBEDF08196700C38C6592A404F71F
                                                                                                      SHA-512:AB5BCE24D24F441438A7DFD3E525511DFA2A865EC93BC39F25B5DD46E99EECEC8D2A0FB181BCBBD99D71F366FB00A47751B41A5926AA1031ACE905E453982E65
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):186416
                                                                                                      Entropy (8bit):5.93420260026271
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:+kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFeJ:o+c7b1W4R6joxfQ8Q
                                                                                                      MD5:A22369218A10056E810C621DB7F390CF
                                                                                                      SHA1:17B681E178D96185987EFBF578DFD340A5FBF356
                                                                                                      SHA-256:987534702FC690CFB0C8B21691C91FF42268FD21C27925D93F0F788FBE03EE80
                                                                                                      SHA-512:6D49C50DF7599799902C7544C6B60300B8C2736719C408E828306ED7839EAC63AD5FC003E5FCA0F25623FBBED7244E0BE4F5EC2D7C6C529C53944603088B61E2
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):331824
                                                                                                      Entropy (8bit):6.169000089371824
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:QBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNT6:QDMUWITZznu85k8Wdn8KmCjIFi3VvG
                                                                                                      MD5:DDA5C3CE3FDBDD8A7EE32FD4C52E1A7A
                                                                                                      SHA1:8C01C9943BDBA54ED58FA308408AB5961647FF03
                                                                                                      SHA-256:42DBAE4DC463C840A39C9DC5A0DB218C565013EAF08CE2340DF78E1F83A3F0CC
                                                                                                      SHA-512:4C10E61D86F3822FFEFFDA55B0A0C6063C1AEDB9AF200A5747CA4F84754C396D88ECDCF25F54834EDCCDF303AFDAF6FF25116445C381AB77190A78AE3C286136
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......i....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.960836949197253
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:0Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUG:0Bjk38WuBcAbwoA/BkjSHXP36RMGj
                                                                                                      MD5:9B18B6E518E2088BC98D77C3ED163319
                                                                                                      SHA1:4F6C785597BBAB2BCAFE0527E99F2271D334B628
                                                                                                      SHA-256:ABBD5647F1F025E7D0B1148E909B3CE9D9CFEA3B737B156889C0EE33F4C42C92
                                                                                                      SHA-512:A2EA7FD06834A047AE64CDFA762CD55A8BC486912933E254EA565E1294C75CFA24DB66990C87881B05156F5549FC7E695E2439E736B7435EF8FABE7B36A5EF51
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):55856
                                                                                                      Entropy (8bit):6.238978848951217
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:hREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLg:hR8+5k15z0WBZEtgwJq7Hx3U
                                                                                                      MD5:DFFF197E97490BB88ACF7EBB14870A4C
                                                                                                      SHA1:F355204DCB7F9045A91F3C6E20AB9D54C42A1B6C
                                                                                                      SHA-256:65AA35A36E77421CAAE591068E7C3AD23E1DFE3D51D5FBF39F8F308B4F19970E
                                                                                                      SHA-512:6F450AE14BC9EE67D99E894CD1F256F7D6885D03C8BEC8AD449F26B0D2FA64036763432BBF69D5887C7053E7BF5B2EFC4030C584731054B5FF4F6EB335C16C15
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......J>....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602672
                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):753
                                                                                                      Entropy (8bit):4.853078320826549
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                      MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                      SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                      SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                      SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                      Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7466
                                                                                                      Entropy (8bit):5.1606801095705865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                      MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                      SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                      SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                      SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):145968
                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1442
                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3318832
                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215088
                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602672
                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):247
                                                                                                      Entropy (8bit):5.13653732743661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:ARpFGT8/ZipKFSQNA4Q5VygMKVdq4gDb31DX:gKWZLSQVGVyghgRb9X
                                                                                                      MD5:CC48DDEA7CF2F28221FF5C9BE141C2D8
                                                                                                      SHA1:5AD993B085DF35A4DF6EF9AA88A3DBA9CEAD8B2D
                                                                                                      SHA-256:261BFEB2A3A7D93B0873C538DC488AF757E1E69B4FE54FB3E222C64749F70289
                                                                                                      SHA-512:C084060EEC63504E83D4CE05DE672E9DB88AA098448183B9377A81F849746C391FBDB58904C730FB46751B8ED28DF8DBCFBDC0212054722D38CF5E5FCAD8C29B
                                                                                                      Malicious:false
                                                                                                      Preview:/i /IntegratorLogin=wupdate10hotmail.com /CompanyId=3 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000LYyQnIAL /AgentId=62ae0c2e-ffb4-481a-8335-a07d991966c0.29/08/2024 04:33:20 Trace Starting..29/08/2024 04:33:36 Trace Starting..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):178
                                                                                                      Entropy (8bit):5.256121786307957
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:5PbTsIAQ8hNpu66I8UN81WsOrdUgMHDxY52Px5fEfrsf3J2MzqRI+OPkvOy:RbTpAQ8h7u6z8Uu1arOgMHDQuMj25rmD
                                                                                                      MD5:71DCEF8B80008EB3B248E6009EA190E7
                                                                                                      SHA1:0755DBD04756E446DDE0C798BA25D6A5910D14C6
                                                                                                      SHA-256:3CD965FE6278CEC6FE3C56056652B1B9CD496338CE4FF33E30EAD8117DCB3F2A
                                                                                                      SHA-512:3733D6A9AA64EB992D50EC4CB9312C7B1D3CB0054121807EAD02A2017DAE3AEDF1D78CAF988BFCCB7D100C778813C751CECF8A78DD8F06C7192C15DCA4D5E529
                                                                                                      Malicious:false
                                                                                                      Preview:eyJJZCI6ImY1ZTQ5YzlhLTM0MGItNDUzYy05YjkyLTk5M2NmZWYzODFkNyIsIkNyZWF0ZWQiOiIyMDI0LTA4LTI5VDA0OjM0OjE4LjE1NTE0MjgtMDQ6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):247
                                                                                                      Entropy (8bit):5.13653732743661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:ARpFGT8/ZipKFSQNA4Q5VygMKVdq4gDb31DX:gKWZLSQVGVyghgRb9X
                                                                                                      MD5:CC48DDEA7CF2F28221FF5C9BE141C2D8
                                                                                                      SHA1:5AD993B085DF35A4DF6EF9AA88A3DBA9CEAD8B2D
                                                                                                      SHA-256:261BFEB2A3A7D93B0873C538DC488AF757E1E69B4FE54FB3E222C64749F70289
                                                                                                      SHA-512:C084060EEC63504E83D4CE05DE672E9DB88AA098448183B9377A81F849746C391FBDB58904C730FB46751B8ED28DF8DBCFBDC0212054722D38CF5E5FCAD8C29B
                                                                                                      Malicious:false
                                                                                                      Preview:/i /IntegratorLogin=wupdate10hotmail.com /CompanyId=3 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000LYyQnIAL /AgentId=62ae0c2e-ffb4-481a-8335-a07d991966c0.29/08/2024 04:33:20 Trace Starting..29/08/2024 04:33:36 Trace Starting..

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):145968
                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1442
                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                      Malicious:false
                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3318832
                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215088
                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):710192
                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602672
                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73264
                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2402
                                                                                                      Entropy (8bit):5.362731083469072
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                      MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                      SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                      SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                      SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):651
                                                                                                      Entropy (8bit):5.343677015075984
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                      MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                      SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                      SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                      SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                      C:\Windows\Installer\5b2502.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2994176
                                                                                                      Entropy (8bit):7.878661208701989
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:f+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:f+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                      MD5:5175E85FEBED10FD772EE10D682946AA
                                                                                                      SHA1:655D4204FD1B86A5A619EEBC2C210A4A0C03A0BA
                                                                                                      SHA-256:44F4A65EDF7AE3CE4FBC50B03BC034B27D699E7A17CBD130CAC07D78CE171985
                                                                                                      SHA-512:6F8D841F3473EE6E6F490AD77F88F30EFA4230DC920DED96AA9FCAA11029AE2C1C0A196F6EA290ACA701614A3543B08D5B11BFFAE8AAFE4AB11119945AB9EEEB
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\5b2504.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2994176
                                                                                                      Entropy (8bit):7.878661208701989
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:f+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:f+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                      MD5:5175E85FEBED10FD772EE10D682946AA
                                                                                                      SHA1:655D4204FD1B86A5A619EEBC2C210A4A0C03A0BA
                                                                                                      SHA-256:44F4A65EDF7AE3CE4FBC50B03BC034B27D699E7A17CBD130CAC07D78CE171985
                                                                                                      SHA-512:6F8D841F3473EE6E6F490AD77F88F30EFA4230DC920DED96AA9FCAA11029AE2C1C0A196F6EA290ACA701614A3543B08D5B11BFFAE8AAFE4AB11119945AB9EEEB
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\5b2505.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2994176
                                                                                                      Entropy (8bit):7.878630966889847
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                      MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                      SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                      SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                      SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\5b2511.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2994176
                                                                                                      Entropy (8bit):7.878630966889847
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                      MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                      SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                      SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                      SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI264A.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25600
                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI264A.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                      C:\Windows\Installer\MSI264A.tmp-\CustomAction.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1538
                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                      C:\Windows\Installer\MSI264A.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):184240
                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI264A.tmp-\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):711952
                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Windows\Installer\MSI264A.tmp-\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61448
                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                      C:\Windows\Installer\MSI2A13.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25600
                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2A13.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                      C:\Windows\Installer\MSI2A13.tmp-\CustomAction.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1538
                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                      C:\Windows\Installer\MSI2A13.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):184240
                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI2A13.tmp-\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):711952
                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Windows\Installer\MSI2A13.tmp-\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61448
                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                      C:\Windows\Installer\MSI3699.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25600
                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3699.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                      C:\Windows\Installer\MSI3699.tmp-\CustomAction.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1538
                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                      C:\Windows\Installer\MSI3699.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):184240
                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3699.tmp-\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):711952
                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Windows\Installer\MSI3699.tmp-\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61448
                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                      C:\Windows\Installer\MSI3C45.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25600
                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3C45.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                      C:\Windows\Installer\MSI3C45.tmp-\CustomAction.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1538
                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                      C:\Windows\Installer\MSI3C45.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):184240
                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3C45.tmp-\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):711952
                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Windows\Installer\MSI3C45.tmp-\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61448
                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                      C:\Windows\Installer\MSI3E3A.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):437355
                                                                                                      Entropy (8bit):6.6481729763700494
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:0t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ks4:EzOE2Z34KGzOE2Z34K1
                                                                                                      MD5:B4A063B617C379C7A0125087076E2411
                                                                                                      SHA1:31C08C4C24551830905B4626076AB78447E1220D
                                                                                                      SHA-256:E30B18F7696F2F069E148F69052D7D31266C131149F2F0926FC29D39E1882688
                                                                                                      SHA-512:7444E284518CB2F1D38F2FC80536A94190F9BAF783EEE1465803372495D562324A6A8534B4BE23D48188948F44CD3B0F4D3239D89659D5E69772456F80B76A93
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3E3A.tmp, Author: Joe Security
                                                                                                      Preview:...@IXOS.@.....@($.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent9.SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............

                                                                                                      C:\Windows\Installer\MSI3E3B.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25600
                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3E3B.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                      C:\Windows\Installer\MSI3E3B.tmp-\CustomAction.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1538
                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                      C:\Windows\Installer\MSI3E3B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):184240
                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3E3B.tmp-\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):711952
                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Windows\Installer\MSI3E3B.tmp-\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61448
                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                      C:\Windows\Installer\MSI3EB9.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI3F75.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI5698.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):25600
                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI5698.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                      C:\Windows\Installer\MSI5698.tmp-\CustomAction.config

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1538
                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                      C:\Windows\Installer\MSI5698.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):184240
                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI5698.tmp-\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):711952
                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                      C:\Windows\Installer\MSI5698.tmp-\System.Management.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61448
                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                      C:\Windows\Installer\MSI6B66.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI7328.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):436009
                                                                                                      Entropy (8bit):6.651561563116124
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:Ht3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:NzOE2Z34KGzOE2Z34K5
                                                                                                      MD5:3145B407758E33E9E2D2DF0F49895339
                                                                                                      SHA1:459B2947A6A290F96E99DFD62FC4E956A1D159AF
                                                                                                      SHA-256:5EB2F4D1F472F6CA5A991C51F82CE9C63EAC23C63EDAD8505906229DE964E1ED
                                                                                                      SHA-512:FD86D4C51AC5110F41D5A386F5ADEC73790F06CD8338278881D9FAA8C3E281ED545EC2BF44B66484A443478738F3DCF4F258EB1E07B0B3D60890720491F47760
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7328.tmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7328.tmp, Author: Joe Security
                                                                                                      Preview:...@IXOS.@.....@Q$.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent9.SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P......................................

                                                                                                      C:\Windows\Installer\MSI7348.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI752D.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI7628.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI9114.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):437217
                                                                                                      Entropy (8bit):6.6478289868774265
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:qt3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4Kse:SzOE2Z34K+zOE2Z34KD
                                                                                                      MD5:151B2B87C5E02CB8D1AA7FADC8F412F3
                                                                                                      SHA1:4C01AF0966679BDE07E6B7BA718522EA856A7395
                                                                                                      SHA-256:1DA5F4F777EF2A90E0915A78E4F8605A2EB44C4EDF99407A0F079593EE613C07
                                                                                                      SHA-512:48B6F67BE751B89473C3EEECCF01C824285EC9F3C963B98653B881E7E98712EE31B89CCB9D48610B5C4CDC60D07292FDB73BE6F947379F63EFBD2A3BF47F4CDE
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9114.tmp, Author: Joe Security
                                                                                                      Preview:...@IXOS.@.....@U$.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                      C:\Windows\Installer\MSI9115.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI91A3.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI9201.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216496
                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSI9A7E.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                      Category:modified
                                                                                                      Size (bytes):521954
                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.1729967758483966
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JSbX72FjAiAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JBQI5wBTr/F
                                                                                                      MD5:41E263319D7CE9185C5541CDC57ED1CA
                                                                                                      SHA1:9EA0B22522E05069C13FB82C8D270042BACE6074
                                                                                                      SHA-256:2779AC7FBC5ACAA465CDE17B2D6BA44936C43B2155CE2C00C60276BB2CE23DED
                                                                                                      SHA-512:0CD8830EC3AF3AEDDCC08344B687957EA459B51B7C58105E57EE09BFE2566E659DEB1DC46EE4F25328DF20B6003D9DC001564039B1CDB7089002F1DFCCEE5F7B
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.1921198405772577
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JSbX72FjdsXAlfLIlHmRpOBh+7777777777777777777777777ZDHFoQRl7hsgwv:JCUIYcaiImgwz6F
                                                                                                      MD5:B80C6160E927EB398EA631D61ABC64A1
                                                                                                      SHA1:FF0F7378DEE1DABCED631ADA555E7D1F0EF6405D
                                                                                                      SHA-256:918004E69C0F805A7C0D629831D2F26D688B550A8F27F628605D8804CF01334D
                                                                                                      SHA-512:EF21E62968BB9A3A392D6F374C47DC555C20FBEE945DAD3D1F325ECD5B883280BF34690D0E4FC01E8B08EB04C6623FEE10DBE11870690FC421091078A3287F3A
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.6208935422891662
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:p8PhPuRc06WXJEnT5hDXqISoedvPdvbCnuhnq9Xnm1dStedvPdvxubS:khP1HnTvD6IciuBuXmv4
                                                                                                      MD5:3ABB73C58AAA7A68C2AE09A8AB115397
                                                                                                      SHA1:6497B3179A0B806E91E37FB6A98E0A5D8C1CA800
                                                                                                      SHA-256:6E5CF0D1B82835ED3A1973C8887E1C26FDA30F0669C233BE9CE1049FBBE6CDB8
                                                                                                      SHA-512:AA4444EDAA0041A5F4B334270DB7C790323497B850B84D0FC9CF587DADAF6C6C5957214432DA84401B6D995AEA05B41B26809C17AD51D27B5E5D1274F4F4DEF4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):432221
                                                                                                      Entropy (8bit):5.375172548319441
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau+:zTtbmkExhMJCIpErj
                                                                                                      MD5:F4918E5F1091CE18921A283078D06B84
                                                                                                      SHA1:3F8A2E4C84BDD36F1F8BB9EB7322D1F74E19578B
                                                                                                      SHA-256:6EA54C40DF360D1244FA370489B83280F2AE7C87B03C1D16357863197EEBF9AB
                                                                                                      SHA-512:8CA856B290D59B9AFDD9CDDF303FEFEAA103264AF2EDD13C77DE2B9970571FFBF3E53AE64C9466FD2F48E49D17379EE75A2414C61C78BB53E823004FFA7242E3
                                                                                                      Malicious:false
                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):651
                                                                                                      Entropy (8bit):5.343677015075984
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                      MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                      SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                      SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                      SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                      C:\Windows\System32\InstallUtil.InstallLog

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):704
                                                                                                      Entropy (8bit):4.805280550692434
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                      MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                      SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                      SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                      SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                      Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):471
                                                                                                      Entropy (8bit):7.151105477223213
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JyYOot5GLsHYQyn53d5PUmN0HSl1FSVjzPQMMFs+QD:JROotILs4QICoUjzP5/+QD
                                                                                                      MD5:278A6DE86FC963D966CEA46D45A5616C
                                                                                                      SHA1:A7338B6878B5634685A96F0D03493E3A21814AD5
                                                                                                      SHA-256:7325D01BBF781432D112F8854F686750818FABAD03012E44F41995777FAC406C
                                                                                                      SHA-512:4D29A0FBF5636D9179F73B3107BCB5CE1294EA1F7DF999C85F5554FA3D8AB72470BD57CBEB2E39EF7148C5FC1847F965B3EF5B665639FCEB69975F2942BCD47C
                                                                                                      Malicious:false
                                                                                                      Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20240828165849Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20240828165849Z....20240904165849Z0...*.H..................hM.f.vFgZ?............%Q.A.|w8.....t.2..y.E....oB[....(%../...D".9.,&.Z...Us..u.[v\..y[..o......B...;....5M}6....c1R}p..P.....{..d.!1..8.@x..R|....44..=.P....e.)...sn..`.{.Z..u..o.K...'...b.W..+...r.".<..9..cV..1..UIc..eV...{2.x.[...2...!53..

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):727
                                                                                                      Entropy (8bit):7.623032370314327
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:5o6Tq9t9X5h44TUqYRKkdcv41ndASilU6C8yTesrHGWnnXjErUeO2BOAYIqDn:5k9XoqYR/cYASilrCRe+X0P9qDn
                                                                                                      MD5:73E19215C6A7CED51D76256858B2DB42
                                                                                                      SHA1:B89EBC1F557DBA3A21BC975D2E3082F6E99AA293
                                                                                                      SHA-256:056B2EE7ACE5CD5AC5E5FD4E441C453AECB09B75155392DFF11019DB9238571E
                                                                                                      SHA-512:8CAE44D7B0A0C457DAB789338CB2D628B97CABC531C05AE422DCA437AC1535631AF0A85086F818C5F778203CDAEFB961A419EF4CD5D08F0FB0C7629AE1175B52
                                                                                                      Malicious:false
                                                                                                      Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20240828203709Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20240828202107Z....20240904192107Z0...*.H.............X..k.?.;....J..^v......,..o..z..z.9....SL......<.>3..iC.....F.J..a'..FLZ<*z.Q..@..O.1..|..E.y[..%....n......:r....h.Er.....c...D..".......Umq.....OA...L.wh7..sq......U..W.c...9..i...q.|B...R....`...A..)'..N.6.}....t....X..`...AJ..^.V..Z...j.kB5w..80v......I......v.....be..N5YO..eb........U.#.R.IIZB....W.+....k)..|.t......y<H.:...K...^..J3.C....k-F4....y...&..::.....K....L{.#..@.../.............-mL......._.UTj$._.pK..7.O.D...0.V.xi'...4T$1[.pO$|.z1..'abz&..*(..3).._._ ....?..f...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Certificate, Version=3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.596259519827648
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                      MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                      SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                      SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                      SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                      Malicious:false
                                                                                                      Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):727
                                                                                                      Entropy (8bit):7.5796111039943455
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:5onfZ3yc5RlRtBfQ1yMDsNznwJsauSAhpzPMHSuht5sIJ1uKKSofQ+aBg:5iIcdZHMDAzwJsaYpz0yuhtyIJEbnfnL
                                                                                                      MD5:35A25889CF4723E16CF53BCF2BE8B29B
                                                                                                      SHA1:FB2F3A646155D582F4D7124B9526317BE747E818
                                                                                                      SHA-256:55BC56C5C362A1A4B1F805CD021D7DB0E6F1295989BFF3473AA16D1EEE6DD6F8
                                                                                                      SHA-512:A51EE91AC2FB9CA3C23ECB0EF2674FA327EE66C833D66B8EEA26DE7DF01D1804F46B8487D3EB3DBEA63686FB7C0409DCB956454FDC9B9632984A79219A861438
                                                                                                      Malicious:false
                                                                                                      Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20240827184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240827184215Z....20240903184215Z0...*.H.............TY2.D..[....sE...c..R A...OxA.#..-.ec.......e&b........q..*.....y...A.........^...TF....ce^..u..N.EA.7F..;...........m.M.x!N........S...!..[..I .....gh...7?..~{~.....3M..F.>.P.[...w.....L..#.+O....h.#.`..y...._.)....Pq!b...^L..-4.J...3.7..a.\.XB}O..Q].@.#Bz8?........YN...$.....XL....$....B..d..~/...U.H.zfgO.u.....;\.A..?1.&n.Z.U...../... .@&...n4gf{.x...../bQ.....e+...Il.)...v#..jX1...s.'X..PdT. e.%......f.r.Z..U..D".q..P^l.......O..L..i.....%G.\Ng)..]......O..m!..:.%...@

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:Certificate, Version=3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1428
                                                                                                      Entropy (8bit):7.688784034406474
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                      MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                      SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                      SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                      SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                      Malicious:false
                                                                                                      Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):338
                                                                                                      Entropy (8bit):3.4346859258168894
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kKQD8lJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:IDlkPlE99SCQl2DUevat
                                                                                                      MD5:1900702C4D282B29872F607F60969848
                                                                                                      SHA1:86743CA86B47C2C2E46D2B459318D8159AE227DA
                                                                                                      SHA-256:1254A25EA97DA9490B1508A84167694A7FB27F000DC391EC5B5211E205717611
                                                                                                      SHA-512:E15565D769D8B93892C3783A31D0BB6640AE255CC08F3E5FF64D85C38E6A922F0B0430A74FBC33BDBCF8F26DAE842F6253598B1AA2528B1AB2D31A373A132E72
                                                                                                      Malicious:false
                                                                                                      Preview:p...... ........K"......(................................................".17... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):400
                                                                                                      Entropy (8bit):4.019533789291087
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kK4YFwlaZXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:fFDmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                      MD5:09925AF2897A25E7B295BD0D2EB7A0D6
                                                                                                      SHA1:C3381A936CA009EF8F9530F26B74A38AE03EC2D5
                                                                                                      SHA-256:E21208761B22427EB1B4AE4472B4ED35EB23028DF59CBEF0464E8F2D4C91CA3E
                                                                                                      SHA-512:1DAB456AA37AF9E24F7E9F5B84862036844DCE2B6BEBF494FB9C013AB97DDBB2014DC1190D742F2716E7D9EEE7A3BF85470051737DAA47362A8B55ACAEF8FCB1
                                                                                                      Malicious:false
                                                                                                      Preview:p...... .........'.+....(.................f.k....*K......................*K..... ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):404
                                                                                                      Entropy (8bit):4.016972970378857
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kK3msf/LE0bfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikK2:uMLNbmxMiv8sF3HtllJZIvOP205scn8
                                                                                                      MD5:2ADB1B878AFB8B6093987CCFFE09B11A
                                                                                                      SHA1:6FCC06D369E20C57140CCEEB76EAA52BCE7CA861
                                                                                                      SHA-256:7110A544652C80EBA7147B3E0543D03EF44088257989A2BF179F9538A33992EC
                                                                                                      SHA-512:18F78B0F5019D67A6FD2DFBABE40F8553F5F92ADE1CCEC34244E1A4FDFE030ED8A9028A455F6D6C0C9ACBA417492F028F12B4D27D9598AF377544CC3158EE905
                                                                                                      Malicious:false
                                                                                                      Preview:p...... .... ....&.,....(.................6......V.......................V..... .........(..... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):308
                                                                                                      Entropy (8bit):3.2155953741951353
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kKg3zNcalgRAOAUSW0P3PeXJUwh8lmi3Y:oCtWOxSW0P3PeXJUZY
                                                                                                      MD5:FBCBC366C27C22C8C9421AC758F076F0
                                                                                                      SHA1:BD4241D5EF54DC5DB2E05914B1A1D0AFCEEE16AB
                                                                                                      SHA-256:E89505784EEDE37C62CED73935DCAE5E5555774A591C7BE067C2D1E21D426514
                                                                                                      SHA-512:6F79C49CBFF3E7CFC413CC8564183E402EB31DAF0F2BAEECE49E7AB47041B23FE15E07E68E09C7FC02FC77A60176F87E749A4CAAE38852D8AA60181A299CA83F
                                                                                                      Malicious:false
                                                                                                      Preview:p...... ........m.......(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):412
                                                                                                      Entropy (8bit):3.998737567408719
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:KUo/lxRc/bmxMiv8sFBSfamB3rbFURMOlAkr:KUo/+Tmxxv7Sf13rbQJr
                                                                                                      MD5:3B478FC2E4DDE0620345280EDAAA3361
                                                                                                      SHA1:5AB8056BA9F26BD0DBA4001C9A7CF8D7D9E951C5
                                                                                                      SHA-256:18700F931CD85C7451AB552759DE2D7B21DCB444404ECAD314F2EAB32C4D5329
                                                                                                      SHA-512:D8F8E24F82A80887A5861476C784EB2BE31815A367BC3AE85068D04C144FC8A04602DBFBB336EFBA80B8C20B240CA218C53A91ED8B5CFA8BCC38E710DCDA3E68
                                                                                                      Malicious:false
                                                                                                      Preview:p...... ....(....r.=....(..........................0.......................0... ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):254
                                                                                                      Entropy (8bit):3.068646898467291
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kKhbEpLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:J8LYS4tWOxSW0PAMsZp
                                                                                                      MD5:7C55855331BA21BF1603594586C36E05
                                                                                                      SHA1:B853B4EAD2DA0EBD5ACD0A88A40C9DE269A95AA3
                                                                                                      SHA-256:3D4A3FA036DDE2EA704E6584E87AAF15D7A0FD9B8FDDFB4302ACAB0760BB1B8A
                                                                                                      SHA-512:CF6628AED502EC5BDEBB72FB799C79CBBC9239EC90DB978494615CABB5632D0034C1EB68DD583E9C8FB274C2573C47296383C8868318B673C29C5FEB0D3E3A59
                                                                                                      Malicious:false
                                                                                                      Preview:p...... ....l.....H.....(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1944
                                                                                                      Entropy (8bit):5.343420056309075
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                      MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                      SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                      SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                      SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1983
                                                                                                      Entropy (8bit):5.345248756179348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                      MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                      SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                      SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                      SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):3043
                                                                                                      Entropy (8bit):5.361093730986187
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                      MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                      SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                      SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                      SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:modified
                                                                                                      Size (bytes):1722
                                                                                                      Entropy (8bit):5.366509527070196
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHi:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4fC
                                                                                                      MD5:12EDC7C8880BE159C159CCB8144A5011
                                                                                                      SHA1:CB75973C194B8131E0BBAFEC417E13F040DEEC42
                                                                                                      SHA-256:96935DE33B56EC976A012F6B2D00E39E66CF18735D5A65FBD849CFA0648C8A22
                                                                                                      SHA-512:C11A8DD3774B5FB0E6D9326759D039203C23B657F47F17AC1920C425F54E4B0FA44AE93ED87302603E330F75EA359E7969B7CBFEEC0DC432F88DA5551CA7D1B5
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1968
                                                                                                      Entropy (8bit):5.358970550932517
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHxLHqHvHl3HKlT44HKmHKe60:iqbYqGSI6oPtzHeqKktRLKPJqZ44qmqW
                                                                                                      MD5:127E8EC0D285A5FE3BBBDF1356CCDA71
                                                                                                      SHA1:C7DA4465A42E04A9AD4B914E59834166C37B9DA0
                                                                                                      SHA-256:B094760E40845C308F474171B839A5EC85B309988A435A902F0CE530DAFF9E62
                                                                                                      SHA-512:26B6E475C5F49F82F97EAD731E7D61E07E3DACDF5D88D38362708F185D63BBA0E5A0DB420CE1D6F9402B04E1BBA3338659639F963977807F79E277B5B13F3358
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKe

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1499
                                                                                                      Entropy (8bit):5.341844552740347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mHE4KXWE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4A
                                                                                                      MD5:1F102800C2B4B52354570886D784EA54
                                                                                                      SHA1:B84148B4A84AF5669134EB9EC27904A05E2517D2
                                                                                                      SHA-256:8367F22954F447B469ED78A27028539219651BEB79AFF371045A3347E99B906A
                                                                                                      SHA-512:AE4C42696AC5C7F532820D0B5D2412FEAEE4641884B189559C25989E013E09D799C10C98DDC6813D9F7C76A475C34DF8A48BAFC2F5D17708CF5440F931D1CE0A
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1499
                                                                                                      Entropy (8bit):5.341844552740347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNWE4KXSE4KlOU4mXE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKl
                                                                                                      MD5:D45F0B0387AA9450CC88125F2428C26D
                                                                                                      SHA1:8C77259A299BF2FB7A66EC695A3F0EFA5154DCB6
                                                                                                      SHA-256:6A6DF19288C76B1CEDD0F507F226705CDE6A69F3AB59B4FC13AF5C7B7F7D12A3
                                                                                                      SHA-512:5523AD8087ECE039FFFEF746F9B6175D6C2F2523C372FC813D21E695C18D986432D2B83C23D0E6CD6C42C97DFC8DECE3121BE8907D05337EA9B282D3E947EF4F
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1075
                                                                                                      Entropy (8bit):5.353521172341231
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                      MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                      SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                      SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                      SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                      C:\Windows\System32\msimsg.dll5b2509.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):145968
                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                      C:\Windows\System32\msimsg.dll5b250f.rbf (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3318832
                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                      Malicious:true
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                      C:\Windows\System32\spp\store\2.0\cache\cache.dat

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\sppsvc.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):899968
                                                                                                      Entropy (8bit):3.8647754636011666
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:k6kfJdDopPTX8NSBt/5ps9oJfBDGVMlDr:6PDKO6Vf
                                                                                                      MD5:8F723330DE8B01616AD3989E43D9C2B5
                                                                                                      SHA1:5F3D5A2CD7198979D55566B77FF35B0B14F3C55B
                                                                                                      SHA-256:8848B439CFE32CE36D86AC14C51E0452B7A0C3F5CFFB7D9223977C81056F27E0
                                                                                                      SHA-512:810386B4D0255DF15DDDE15B187FC3AAAEA658C39AB1606157C6ED35693957CCA72BA0881B3D5B57A7F3E9A607CD14312C2EE55482400798C5FA68E5958A7810
                                                                                                      Malicious:false
                                                                                                      Preview:..E(....................;._....................................$.$.G.l.o.b.a.l.$.$......qQA.....................\.....Z...0...+.0.J.f.p.q.U.8.x.J.e.Y.n.Z.J.W.G.k.L.b.7.o./.C.D.+.A.J.9.U.P.y.A.e.m.R.4.2.m.F.n.1.s.=...........E(......................j.......................zz....Z...0...+.0.L.4.a.O.e.b.x.N.j.h.h.b.5./.j.Q.W.B.P.U.I.O.5.Q.G.B.B.9.J.u.j.a.g.w.S.n.E.d.W.Z.s.=...........E(......................j.....................ik......Z...0...+.1.l.x.y.b.W.0.n.C.1.7.B.p.R.q.E.2.z.U.j.G.p.P.v.E.Y.Q.R.z.e.9.5.u.c.2.b.5.G.K.l.3.I.=...........E(......................j............................Z...0...+.2.B.h.X.a.y.c.E.g.l.r.M.p.p.w.N.v.M.w.9.K.t.G.Z.2.V.g.f.0.p.I.a.3.a.F.3.g.8.S.F.f.Q.=...........E(......................j......................m=.....Z.......+.2.V.t.Q.r.6.7.8.r.5.F.P.8.8.T.K./.o.k.I.m.o.3.e.s.+.d.C.Q.b.3.K.p.r.p.A.Q.d.Q.x.V.c.=..........R2H....................Uz(.................................J...7.8.c.6.8.b.4.a.-.0.1.a.b.-.4.b.b.7.-.9.b.0.b.-.2.c.d.a.a.4.f.a.b.0.7.e.

                                                                                                      C:\Windows\Temp\AteraSetupLog.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):227774
                                                                                                      Entropy (8bit):3.77997461999511
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:eHN//usbZqAiXDI1d1oo7u7h/5e6tDrTJL6e1FB0zJbag1wwB+7AP7mYd131JDHJ:eu+jHhs3SYjLPsXmebAw+vUN
                                                                                                      MD5:D7A1E317B55CF46178F9EF2C375CD736
                                                                                                      SHA1:3C242D95FECA7B56BDB221BDA259541D80DE2602
                                                                                                      SHA-256:4771354B0550366523FFC5A4A364CC549314B4399322926161B659E2125995B5
                                                                                                      SHA-512:C869ECC24BFB621B300F0EEF832AD79A4D1183AF777C36098A2D1C8CFA5A6CB5F0216BE427A7306813817A27014B7189171C89874372431BAEE1F9F03E2E0067
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .2.9./.0.8./.2.0.2.4. . .0.4.:.3.4.:.1.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.2.8.:.9.4.). .[.0.4.:.3.4.:.1.7.:.3.1.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.2.8.:.9.4.). .[.0.4.:.3.4.:.1.7.:.3.1.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.2.8.:.9.4.). .[.0.4.:.3.4.:.1.7.:.3.1.7.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.2.8.:.9.4.). .[.0.4.:.3.4.:.

                                                                                                      C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2994176
                                                                                                      Entropy (8bit):7.878630966889847
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                      MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                      SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                      SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                      SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF04AD7AF9A69DBE6F.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2220949502251748
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:x8PhcuRc06WXJEnT5xDtGqISoedGPdGTxaStedGPdGTn:Mhc1HnT/D5IJD
                                                                                                      MD5:A6BF45D2F0F09959D509178E0506CF94
                                                                                                      SHA1:12859B3C0C5D55127406546CF46B857E39407D8B
                                                                                                      SHA-256:0D0B9B133D3354765F0FDC870CB11B4873B365C16E940751E75051EF14F23FEB
                                                                                                      SHA-512:D301F92AD97E1E4C2068AA2F6E1E7EEE53E21BA3569BBDC30889F296A198C6FDCCE5C121268BD52888A370993D4D9006A00005A2E4B306961F2AE9C46E6FE0E6
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF04AD7AF9A69DBE6F.TMP, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF04AD7AF9A69DBE6F.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF1591E8985252195A.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):69632
                                                                                                      Entropy (8bit):0.16382035741268922
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9Xnm1en:hybIciuBuXmkn
                                                                                                      MD5:5081A1AC218C295D00252D28B45BCF1F
                                                                                                      SHA1:6FC53363686810436E9AA22D18DE77BABF9B5DF3
                                                                                                      SHA-256:00E65CD3349F2D3E5260D3FCBE84A1B0DD3C1923930925BB0A26B165325B477C
                                                                                                      SHA-512:5D1DF50DD5D2BE72EDE75397F4067C27DD1E84D0B34E532EC92D1972585DA5845E5B42F9ED81597E0AE9BF121B70D445245AACEA7D82B19A797BCA52082AA414
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1591E8985252195A.TMP, Author: Joe Security
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF1B46B0D5C1119819.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2651072617799568
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tRmuerM+xFX4RT5RpHxb/jqISoedGPdGfoqrGStedGPdGRub1n:3mJRST7OItox
                                                                                                      MD5:7C6E7D3A17980469106E9C15C5E4DA96
                                                                                                      SHA1:D332C8DB39CA50CC45ACF3A628E15863E0FC5144
                                                                                                      SHA-256:49BC7D532CAA28DD9FCD1D2E71EFC6D69CBD5A194E3EC92F9AB0686CF8DA16CA
                                                                                                      SHA-512:76349A070027E55458190DD0B073AA25A25DD7EE19143D2AAE64204B7462C3FCECF6277CDA7C88A8E4EDE79B5D5F7CD3A8AE4A42F1CB3F9B340AFBB7F596CF42
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1B46B0D5C1119819.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF1D775E85030B078D.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):69632
                                                                                                      Entropy (8bit):0.14968379611370922
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfoqrpPpHxb:icyLIk
                                                                                                      MD5:0F3D266E5DC9DD61FA535927BB55C629
                                                                                                      SHA1:31E8FC221580E900C857CCAAB13CE68FD96B65EB
                                                                                                      SHA-256:C2CD1853E5E12649476B2A20C0D844570EC21ED7101B34F44B45173AACADD78D
                                                                                                      SHA-512:4ABCC086FE26AE9AC8C7B9447950C5D3E79F04F2258A4F693D727C31B7C768DAE5AA38577366C065047A76097F6D7163BB3E0EAC06AEC18AD86E53390A03877C
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1D775E85030B078D.TMP, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1D775E85030B078D.TMP, Author: Joe Security
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF1EB00227774853C0.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49152
                                                                                                      Entropy (8bit):1.0013345813957666
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RMMXukNveFXJbT5p3DXqISoedvPdvbCnuhnq9Xnm1dStedvPdvxubS:zXeDTn3D6IciuBuXmv4
                                                                                                      MD5:23487416FD7154286CDB9927C77F41D4
                                                                                                      SHA1:B6044E1FDA2BA111D207011D91DDE2853F294B64
                                                                                                      SHA-256:7228F5AC1B355B32AAEE6D55294CCB345A2D75DC4009A990DDC215C94C93B260
                                                                                                      SHA-512:9723EFC71068B7133DE4F267CBE4318938A58FBD5299931FB65ACB8B02BA7762ABE1F9D2A67E930BF5E8CC24B6C5F47CB8ECD71696E7EE6A475DDB18A9604CFE
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1EB00227774853C0.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF20A3BE0DDB7494A9.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49152
                                                                                                      Entropy (8bit):1.0013345813957666
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RMMXukNveFXJbT5p3DXqISoedvPdvbCnuhnq9Xnm1dStedvPdvxubS:zXeDTn3D6IciuBuXmv4
                                                                                                      MD5:23487416FD7154286CDB9927C77F41D4
                                                                                                      SHA1:B6044E1FDA2BA111D207011D91DDE2853F294B64
                                                                                                      SHA-256:7228F5AC1B355B32AAEE6D55294CCB345A2D75DC4009A990DDC215C94C93B260
                                                                                                      SHA-512:9723EFC71068B7133DE4F267CBE4318938A58FBD5299931FB65ACB8B02BA7762ABE1F9D2A67E930BF5E8CC24B6C5F47CB8ECD71696E7EE6A475DDB18A9604CFE
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF20A3BE0DDB7494A9.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF317748A319DD3D03.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2310617076437853
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:sVUuKNveFXJbT5dDtGqISoedGPdGTxaStedGPdGTn:gU8DT7D5IJD
                                                                                                      MD5:843D0C18F5C48802112AC0F121D70965
                                                                                                      SHA1:F04BFD5F3B2E91A2A816D4ED2E4F225701BFF471
                                                                                                      SHA-256:A30A7FBFFD0A532C18AD925429464EED81D4607AFC76EB937E717EF0D0114363
                                                                                                      SHA-512:AC125708E9C36C779CC09EF7DC4241F0E84C48EDCFAD5C7CC40B4B59C73A80A659F8A242B9ADF154A62090AF2F127748BA46D964079CDF3FF62F6CE3A33E64B4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF317748A319DD3D03.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF33240F6687B6B9EE.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.6208935422891662
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:p8PhPuRc06WXJEnT5hDXqISoedvPdvbCnuhnq9Xnm1dStedvPdvxubS:khP1HnTvD6IciuBuXmv4
                                                                                                      MD5:3ABB73C58AAA7A68C2AE09A8AB115397
                                                                                                      SHA1:6497B3179A0B806E91E37FB6A98E0A5D8C1CA800
                                                                                                      SHA-256:6E5CF0D1B82835ED3A1973C8887E1C26FDA30F0669C233BE9CE1049FBBE6CDB8
                                                                                                      SHA-512:AA4444EDAA0041A5F4B334270DB7C790323497B850B84D0FC9CF587DADAF6C6C5957214432DA84401B6D995AEA05B41B26809C17AD51D27B5E5D1274F4F4DEF4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF33240F6687B6B9EE.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF36FDFBBA3E53577F.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2310617076437853
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:sVUuKNveFXJbT5dDtGqISoedGPdGTxaStedGPdGTn:gU8DT7D5IJD
                                                                                                      MD5:843D0C18F5C48802112AC0F121D70965
                                                                                                      SHA1:F04BFD5F3B2E91A2A816D4ED2E4F225701BFF471
                                                                                                      SHA-256:A30A7FBFFD0A532C18AD925429464EED81D4607AFC76EB937E717EF0D0114363
                                                                                                      SHA-512:AC125708E9C36C779CC09EF7DC4241F0E84C48EDCFAD5C7CC40B4B59C73A80A659F8A242B9ADF154A62090AF2F127748BA46D964079CDF3FF62F6CE3A33E64B4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF36FDFBBA3E53577F.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF3D40B44F312F687A.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF400B0FDA04A4300A.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.08924426926333415
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOwdQb9cM7hsrqxkyVky6lHX:2F0i8n0itFzDHFoQRl7hsgWHX
                                                                                                      MD5:4263D18D1C0EC7F4B98C9B3398098613
                                                                                                      SHA1:3538C28184E4EA2D39BFB04E4EBDD69ACF3D109A
                                                                                                      SHA-256:6FBC9883DD884FA1F312CD0D41A3DB607C123ADDD61ECC6BC45B32CAD0FB514B
                                                                                                      SHA-512:073F7196D0C3AFCDBF5D781B10E86EE7AF3E199BCCF3F75F2C975C69E2A03520E3AB629EA9EA45FE16227E1A30BC82BBFC5A4774644DCB950872C9C414BE7B0F
                                                                                                      Malicious:false
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF510F8C79AB1E14AE.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF519946364BE93146.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49152
                                                                                                      Entropy (8bit):1.0013345813957666
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RMMXukNveFXJbT5p3DXqISoedvPdvbCnuhnq9Xnm1dStedvPdvxubS:zXeDTn3D6IciuBuXmv4
                                                                                                      MD5:23487416FD7154286CDB9927C77F41D4
                                                                                                      SHA1:B6044E1FDA2BA111D207011D91DDE2853F294B64
                                                                                                      SHA-256:7228F5AC1B355B32AAEE6D55294CCB345A2D75DC4009A990DDC215C94C93B260
                                                                                                      SHA-512:9723EFC71068B7133DE4F267CBE4318938A58FBD5299931FB65ACB8B02BA7762ABE1F9D2A67E930BF5E8CC24B6C5F47CB8ECD71696E7EE6A475DDB18A9604CFE
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF519946364BE93146.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF533C0A14230452D9.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):69632
                                                                                                      Entropy (8bit):0.13077577173461022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGkWTZk6g+J+nE:CnAStedGPdGeqISoedGPdGTx7g2
                                                                                                      MD5:2EC110C38DEB5B148776A6685D884000
                                                                                                      SHA1:0FC207A42AC707AEAE2E16006C2D9E94E5AAB300
                                                                                                      SHA-256:434B7DC3C5DDE1DF4CE3D974E3139C0A3A3D61ED52B17113F29BDF2F04826E3D
                                                                                                      SHA-512:05EEC58730F988C708C717B5AF40D2C7166DAAB3F2E54A8C614757DAD558CFB6851BCBCACC82E3322D095E7EFD8572D3BCD6B635CDDC590AC1CC7E21B8310696
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF533C0A14230452D9.TMP, Author: Joe Security
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF55953B35FD07CE90.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2310617076437853
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:sVUuKNveFXJbT5dDtGqISoedGPdGTxaStedGPdGTn:gU8DT7D5IJD
                                                                                                      MD5:843D0C18F5C48802112AC0F121D70965
                                                                                                      SHA1:F04BFD5F3B2E91A2A816D4ED2E4F225701BFF471
                                                                                                      SHA-256:A30A7FBFFD0A532C18AD925429464EED81D4607AFC76EB937E717EF0D0114363
                                                                                                      SHA-512:AC125708E9C36C779CC09EF7DC4241F0E84C48EDCFAD5C7CC40B4B59C73A80A659F8A242B9ADF154A62090AF2F127748BA46D964079CDF3FF62F6CE3A33E64B4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF55953B35FD07CE90.TMP, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF55953B35FD07CE90.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF610046635326D4B2.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF62E6CEAEB7818B02.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF67AE738D5B83914E.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.6208935422891662
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:p8PhPuRc06WXJEnT5hDXqISoedvPdvbCnuhnq9Xnm1dStedvPdvxubS:khP1HnTvD6IciuBuXmv4
                                                                                                      MD5:3ABB73C58AAA7A68C2AE09A8AB115397
                                                                                                      SHA1:6497B3179A0B806E91E37FB6A98E0A5D8C1CA800
                                                                                                      SHA-256:6E5CF0D1B82835ED3A1973C8887E1C26FDA30F0669C233BE9CE1049FBBE6CDB8
                                                                                                      SHA-512:AA4444EDAA0041A5F4B334270DB7C790323497B850B84D0FC9CF587DADAF6C6C5957214432DA84401B6D995AEA05B41B26809C17AD51D27B5E5D1274F4F4DEF4
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF67AE738D5B83914E.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF790F161A9690C3AA.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF82D0EA91E4A3570C.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF844C4D1E0F6E7A49.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF978AEB46EC7E8011.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFA70AAB02E48B7FA8.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.077966497703753
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                      MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                      SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                      SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                      SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                      Malicious:false
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFB319C87D74F5AC11.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.582386585925445
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:am8PhuuRc06WX4inT5ppHxb/jqISoedGPdGfoqrGStedGPdGRub1n:qhu1ynTzOItox
                                                                                                      MD5:C331D973F85888C69CE8C49BA92FF16E
                                                                                                      SHA1:CD102CE7E1D0F60E3FB5B3AD10CCDCA4976B268F
                                                                                                      SHA-256:C37C66B177363F26D09FDBC60471FF910C0A213461BB1A7D709D4431AD0BCA21
                                                                                                      SHA-512:FD83213DF81BC6320D1750FCC12D32B5876C4EBC3668DB8974AFFA494B29183828B256C03AD050C22486657C3C9A0EAC257395F2F5ABF8C7B413A2F62DACBEC3
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB319C87D74F5AC11.TMP, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB319C87D74F5AC11.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFB563A60B3E118CEF.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFC9B589890A6E8E41.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFCA1F7B08DDD54517.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2651072617799568
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tRmuerM+xFX4RT5RpHxb/jqISoedGPdGfoqrGStedGPdGRub1n:3mJRST7OItox
                                                                                                      MD5:7C6E7D3A17980469106E9C15C5E4DA96
                                                                                                      SHA1:D332C8DB39CA50CC45ACF3A628E15863E0FC5144
                                                                                                      SHA-256:49BC7D532CAA28DD9FCD1D2E71EFC6D69CBD5A194E3EC92F9AB0686CF8DA16CA
                                                                                                      SHA-512:76349A070027E55458190DD0B073AA25A25DD7EE19143D2AAE64204B7462C3FCECF6277CDA7C88A8E4EDE79B5D5F7CD3A8AE4A42F1CB3F9B340AFBB7F596CF42
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCA1F7B08DDD54517.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFCCE0A42FD3B63322.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.582386585925445
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:am8PhuuRc06WX4inT5ppHxb/jqISoedGPdGfoqrGStedGPdGRub1n:qhu1ynTzOItox
                                                                                                      MD5:C331D973F85888C69CE8C49BA92FF16E
                                                                                                      SHA1:CD102CE7E1D0F60E3FB5B3AD10CCDCA4976B268F
                                                                                                      SHA-256:C37C66B177363F26D09FDBC60471FF910C0A213461BB1A7D709D4431AD0BCA21
                                                                                                      SHA-512:FD83213DF81BC6320D1750FCC12D32B5876C4EBC3668DB8974AFFA494B29183828B256C03AD050C22486657C3C9A0EAC257395F2F5ABF8C7B413A2F62DACBEC3
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCCE0A42FD3B63322.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFD2C747F2F3E5B126.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFD37B19852F142783.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFDD1CBBB7136F3274.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFDED6DBFC236D96A7.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2220949502251748
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:x8PhcuRc06WXJEnT5xDtGqISoedGPdGTxaStedGPdGTn:Mhc1HnT/D5IJD
                                                                                                      MD5:A6BF45D2F0F09959D509178E0506CF94
                                                                                                      SHA1:12859B3C0C5D55127406546CF46B857E39407D8B
                                                                                                      SHA-256:0D0B9B133D3354765F0FDC870CB11B4873B365C16E940751E75051EF14F23FEB
                                                                                                      SHA-512:D301F92AD97E1E4C2068AA2F6E1E7EEE53E21BA3569BBDC30889F296A198C6FDCCE5C121268BD52888A370993D4D9006A00005A2E4B306961F2AE9C46E6FE0E6
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDED6DBFC236D96A7.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFE3167CEA540A3D85.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFF63C46A253E291BD.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.2651072617799568
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tRmuerM+xFX4RT5RpHxb/jqISoedGPdGfoqrGStedGPdGRub1n:3mJRST7OItox
                                                                                                      MD5:7C6E7D3A17980469106E9C15C5E4DA96
                                                                                                      SHA1:D332C8DB39CA50CC45ACF3A628E15863E0FC5144
                                                                                                      SHA-256:49BC7D532CAA28DD9FCD1D2E71EFC6D69CBD5A194E3EC92F9AB0686CF8DA16CA
                                                                                                      SHA-512:76349A070027E55458190DD0B073AA25A25DD7EE19143D2AAE64204B7462C3FCECF6277CDA7C88A8E4EDE79B5D5F7CD3A8AE4A42F1CB3F9B340AFBB7F596CF42
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF63C46A253E291BD.TMP, Author: Joe Security
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFF67CEBCEDE5038E1.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      \Device\ConDrv

                                                                                                      Download File
                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2355
                                                                                                      Entropy (8bit):4.9802955226045516
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:TQ/s1zRs1ziVNn7pItUdSl4s1zRs1ziVNn7pItUdSc:TQ/gn/7p7Al4gn/7p7Ac
                                                                                                      MD5:29BF9E8576CDD9343BEC2F553461E639
                                                                                                      SHA1:CDC2005F528B8BBD4685E1DCD1CFBDF78006B450
                                                                                                      SHA-256:780AC753F7F192560C68FB45B89DC67D2E59BA5B0BD0FF7A9BA3195C461DD4D7
                                                                                                      SHA-512:7A0B53EB3FB50A8F54F74BDA471FC76CDE2DA2319F83E5ECF0CB7833EC0B3D88B2F1ABDED203F6AB316251AB0225674B9BCA883A357718FDA4BB57086CE2985B
                                                                                                      Malicious:false
                                                                                                      Preview:2024-08-29 04:34:18.7922|ERROR|AgentPackageOsUpdates|Error executing command, args: getlistofallupdates..exception: System.AggregateException: One or more errors occurred. ---> System.Runtime.InteropServices.COMException: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it..... at WUApiLib.IUpdateSearcher.Search(String criteria).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WuApiService.GetUpdatesByQuery(String query).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WindowsUpdatesService.GetUpdates().. at AgentPackageOsUpdates.OsUpdates.OsUpdatesRetreiver.<Get>d__2.MoveNext()..--- End of stack trace from previous location where exception was thrown ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw().. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSucces

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                      Entropy (8bit):7.878661208701989
                                                                                                      TrID:
                                                                                                      • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                      • ClickyMouse macro set (36024/1) 34.46%
                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                      File name:SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi
                                                                                                      File size:2'994'176 bytes
                                                                                                      MD5:5175e85febed10fd772ee10d682946aa
                                                                                                      SHA1:655d4204fd1b86a5a619eebc2c210a4a0c03a0ba
                                                                                                      SHA256:44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
                                                                                                      SHA512:6f8d841f3473ee6e6f490ad77f88f30efa4230dc920ded96aa9fcaa11029ae2c1c0a196f6ea290aca701614a3543b08d5b11bffae8aafe4ab11119945ab9eeeb
                                                                                                      SSDEEP:49152:f+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:f+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                      TLSH:27D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76FB3
                                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                      File Icon

                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                      Network Behavior

                                                                                                      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:04:33:07
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi"
                                                                                                      Imagebase:0x7ff665ff0000
                                                                                                      File size:69'632 bytes
                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:04:33:08
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                      Imagebase:0x7ff665ff0000
                                                                                                      File size:69'632 bytes
                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:04:33:08
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E4354813AFA0493C076A96F1473927A1
                                                                                                      Imagebase:0x850000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:04:33:08
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI264A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973750 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                      Imagebase:0xef0000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1789074978.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:04:33:09
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI2A13.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974843 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                      Imagebase:0xef0000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1841281458.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1841281458.0000000005194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1804582498.0000000004D85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:04:33:14
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI3C45.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5979234 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                      Imagebase:0xef0000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1843418908.00000000048B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:04:33:14
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D2A93337BD56D0126E460CB8ACC61589 E Global\MSI0000
                                                                                                      Imagebase:0x850000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:04:33:14
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\net.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"NET" STOP AteraAgent
                                                                                                      Imagebase:0xcd0000
                                                                                                      File size:47'104 bytes
                                                                                                      MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:04:33:14
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:04:33:15
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\net1.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                      Imagebase:0xd10000
                                                                                                      File size:139'776 bytes
                                                                                                      MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:04:33:15
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                      Imagebase:0xe50000
                                                                                                      File size:74'240 bytes
                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:04:33:15
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:04:33:15
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="wupdate10hotmail.com" /CompanyId="3" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LYyQnIAL" /AgentId="62ae0c2e-ffb4-481a-8335-a07d991966c0"
                                                                                                      Imagebase:0x145ec800000
                                                                                                      File size:145'968 bytes
                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.000001458017C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1907844185.00000145EEF68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906573647.00000145ECAD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1855579783.00000145EC802000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906573647.00000145ECA10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.00000145800B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.0000014580001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906573647.00000145ECA9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.0000014580089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1907844185.00000145EEF2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1907587048.00000145EEC70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.000001458008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1908595752.00007FFD9B494000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1907230385.00000145EE380000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906573647.00000145ECA70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906435479.00000145EC9A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906573647.00000145ECA50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.0000014580132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.00000145800B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1906573647.00000145ECA16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1902282659.00000145800BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 17%, ReversingLabs
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:04:33:20
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                      Imagebase:0x187d6b40000
                                                                                                      File size:145'968 bytes
                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2375608859.00000187F023F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359065524.00000187D6FD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357762230.00000187D6DB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2376578057.00000187F061E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2356504332.0000003FA2EF5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D7687000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D7B6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357586706.00000187D6BF0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2371925166.00000187EFD3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2371925166.00000187EFDCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357762230.00000187D6D30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D79B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2373366773.00000187F0157000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D78F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2357762230.00000187D6D6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D7A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2371925166.00000187EFD6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D7631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D78AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D77E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D796A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D7BA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D76B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2371925166.00000187EFD00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D773F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D7988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2373366773.00000187F0105000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2359409965.00000187D79F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2373366773.00000187F0181000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2373366773.00000187F00A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:04:33:20
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                      Imagebase:0x7ff75c3c0000
                                                                                                      File size:72'192 bytes
                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:04:33:20
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:04:33:21
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI5698.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5985984 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                      Imagebase:0xef0000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1961821022.0000000004841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1961821022.00000000048E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000003.1911590351.0000000004698000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:20
                                                                                                      Start time:04:33:30
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "504a98f9-ca9a-4a89-a079-990a1f1a6906" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x2df3bae0000
                                                                                                      File size:176'176 bytes
                                                                                                      MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025970680.000002DF3C4A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025257696.000002DF3BC63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025257696.000002DF3BCAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.2006729055.000002DF3BAE2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025970680.000002DF3C513000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025709684.000002DF3BF10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025861405.000002DF3C412000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025257696.000002DF3BC20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025257696.000002DF3BC61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2025970680.000002DF3C523000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:21
                                                                                                      Start time:04:33:30
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:22
                                                                                                      Start time:04:33:34
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "bb464f1f-ebde-405c-84eb-3837e985cf22" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x2047fba0000
                                                                                                      File size:176'176 bytes
                                                                                                      MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.00000204008F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.00000204008F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231410404.000002047FD45000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231410404.000002047FD1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.0000020400793000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.0000020400925000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231410404.000002047FD3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231410404.000002047FDDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231410404.000002047FD84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231410404.000002047FD00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.0000020400CBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.0000020400979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.000002040085E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2231076704.00000204190B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2221692229.00000204005F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2229047623.0000020418ED2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.0000020400928000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2232462680.000002047FFC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.0000020400701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2222994795.00000204008BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:04:33:34
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:24
                                                                                                      Start time:04:33:35
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "ddae9b04-c290-43f2-85d0-fe3323cd32b1" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x22b136c0000
                                                                                                      File size:176'176 bytes
                                                                                                      MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2066213265.0000022B14183000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2064957753.0000022B13868000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2066213265.0000022B14193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2066016562.0000022B13A70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2064957753.0000022B13860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2066213265.0000022B14111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2064957753.0000022B1389A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2064957753.0000022B138E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:25
                                                                                                      Start time:04:33:35
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:26
                                                                                                      Start time:04:33:35
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                      Imagebase:0x7ff7fcaf0000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000003.2057786344.0000018AF64C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2147967705.0000018AF63AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2147967705.0000018AF63A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2147967705.0000018AF63C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2148045831.0000018AF64A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:27
                                                                                                      Start time:04:33:35
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:28
                                                                                                      Start time:04:33:35
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\cscript.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                      Imagebase:0x7ff72b930000
                                                                                                      File size:161'280 bytes
                                                                                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2146773092.00000230BEBF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:29
                                                                                                      Start time:04:33:35
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                      Imagebase:0x1d2572d0000
                                                                                                      File size:145'968 bytes
                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2652951278.00000043399E9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D27097F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2656573181.000001D2575C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D2581D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257E09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257E36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2767552688.000001D270396000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D25822E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D258034000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D270936000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2656573181.000001D25757C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D2708CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257F9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D258276000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D25836A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2656573181.000001D257548000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D258198000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257DA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257E20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257E3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257E45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D258430000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2656573181.000001D257540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2655340408.000001D257380000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D270907000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D2581CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2656573181.000001D257565000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2647618595.0000004338105000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D2708B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257FAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D2709C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D25820E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2656189028.000001D257530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D258129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257F22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2767552688.000001D27039D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257E10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2772772048.000001D270987000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D2582B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D2580B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D257C36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2767552688.000001D270350000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2663679651.000001D2583AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:30
                                                                                                      Start time:04:33:36
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                      Imagebase:0x7ff75c3c0000
                                                                                                      File size:72'192 bytes
                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:31
                                                                                                      Start time:04:33:36
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:32
                                                                                                      Start time:04:33:36
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\sppsvc.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                      Imagebase:0x7ff75a170000
                                                                                                      File size:4'630'384 bytes
                                                                                                      MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:33
                                                                                                      Start time:04:33:41
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "9e035915-6b26-402d-981e-e84a6229a7bd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x2308c630000
                                                                                                      File size:396'336 bytes
                                                                                                      MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2156062555.000002308C7FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2167737905.00000230A67C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2156062555.000002308C7B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2167560660.00000230A65B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2167592950.00000230A67B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2164295061.00000230A5672000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2165282034.00000230A5830000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2156062555.000002308C770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2167854461.00000230A6A10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2165282034.00000230A5896000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2156062555.000002308C77C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2158512868.000002308CE81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000000.2112750455.000002308C632000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2157381543.000002308C980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2156062555.000002308C7BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2155901664.000002308C720000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2179889539.00007FFDF16C9000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2158512868.000002308D421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2158512868.000002308CF6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:34
                                                                                                      Start time:04:33:41
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:35
                                                                                                      Start time:04:33:45
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                      Imagebase:0x7ff6eef20000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:36
                                                                                                      Start time:04:34:08
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "3fbee305-e327-428f-bda1-2bc18be2bca1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x1ebd61b0000
                                                                                                      File size:176'176 bytes
                                                                                                      MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2584738823.000001EBEF61A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2509151088.000001EBD63D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2517339397.000001EBD6A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2516099692.000001EBD66C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2560612876.000001EBEF430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2517339397.000001EBD6A87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2566497144.000001EBEF531000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2509151088.000001EBD6459000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2509151088.000001EBD63D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2554679620.000001EBEF370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2517339397.000001EBD6AB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2509151088.000001EBD640B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2517339397.000001EBD6AC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2517339397.000001EBD6C18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:37
                                                                                                      Start time:04:34:08
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:38
                                                                                                      Start time:04:34:09
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                      Imagebase:0x7ff7fcaf0000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2472978790.0000013F8935B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2472978790.0000013F89350000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2472978790.0000013F89373000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2473654300.0000013F895C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000003.2390457528.0000013F895E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:39
                                                                                                      Start time:04:34:09
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:40
                                                                                                      Start time:04:34:09
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\cscript.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                      Imagebase:0x7ff72b930000
                                                                                                      File size:161'280 bytes
                                                                                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2463113691.00000163ABA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:41
                                                                                                      Start time:04:34:11
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "4606faac-dcd3-48ea-96a4-be9dbf55b685" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x1852a080000
                                                                                                      File size:52'272 bytes
                                                                                                      MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2770623203.00000031795D2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2808155599.00000185432A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2775900357.000001852A332000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2808155599.00000185432F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000000.2411035801.000001852A082000.00000002.00000001.01000000.00000026.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2781184859.000001852A535000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2775900357.000001852A33E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2808155599.00000185432AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2783811676.000001852AD12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2775900357.000001852A37E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2806851557.0000018543268000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2783811676.000001852AC04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2775534910.000001852A30F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2773443849.000001852A2E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2783811676.000001852AA91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2774357619.000001852A2F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2808015256.000001854329E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:42
                                                                                                      Start time:04:34:11
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:43
                                                                                                      Start time:04:34:12
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                      Imagebase:0x23c00cd0000
                                                                                                      File size:52'272 bytes
                                                                                                      MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2436037477.0000023C00DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2436037477.0000023C00DA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2436037477.0000023C00DA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2456771902.0000023C016E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2456771902.0000023C01763000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2436037477.0000023C00E26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2454010327.0000023C01090000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2436037477.0000023C00DDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:44
                                                                                                      Start time:04:34:12
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:45
                                                                                                      Start time:04:34:13
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "fbadf2d1-7f6e-423f-8961-d7e14595905e" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x1e702220000
                                                                                                      File size:33'328 bytes
                                                                                                      MD5 hash:1EB3651F13B9CFC3D055419FD7E51BF0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3044688006.000001E702AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3038271119.000001E70234C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3043456964.000001E702A12000.00000002.00000001.01000000.00000051.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3038271119.000001E702366000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3044688006.000001E702B4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3038271119.000001E702381000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3043844550.000001E702A32000.00000002.00000001.01000000.00000052.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3035848311.00000098004F1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3038271119.000001E7023CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3038271119.000001E702340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3044688006.000001E702B32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3044688006.000001E702E65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000000.2436396451.000001E702222000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3042576232.000001E702610000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3423566244.000001E71B430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:46
                                                                                                      Start time:04:34:13
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:47
                                                                                                      Start time:04:34:13
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "e1ec0629-d8c8-4b00-8645-21892e1a8ada" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x22f57fc0000
                                                                                                      File size:73'264 bytes
                                                                                                      MD5 hash:00A4D22D776D110ADCC63F0C567131C6
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464955727.0000022F5819C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464955727.0000022F581D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464955727.0000022F5821D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2473754658.0000022F58AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464955727.0000022F58190000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464955727.0000022F581DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2473754658.0000022F58991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2473754658.0000022F58A08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464814597.0000022F58170000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000000.2438833308.0000022F57FC2000.00000002.00000001.01000000.00000028.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2464955727.0000022F581B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:48
                                                                                                      Start time:04:34:14
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:49
                                                                                                      Start time:04:34:16
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "cd4ff46e-95ac-4992-9056-7f18e16c3d90" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x297e2220000
                                                                                                      File size:219'696 bytes
                                                                                                      MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2496331390.00000297E2300000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2496331390.00000297E230C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2528909120.00000297FB4E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2C50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2528909120.00000297FB55A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2496331390.00000297E2340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2528909120.00000297FB53F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2D9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000000.2460220681.00000297E2222000.00000002.00000001.01000000.0000002B.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2496331390.00000297E2345000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2E57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2504151986.00000297E2570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2496331390.00000297E238D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2508586406.00000297E2C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:50
                                                                                                      Start time:04:34:16
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:51
                                                                                                      Start time:04:34:16
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "35c7d0a2-9c2c-4240-a355-655b2bc909c2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x25724700000
                                                                                                      File size:197'680 bytes
                                                                                                      MD5 hash:C0C8815ACF3A7BD323512DFEA1B0ABF0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2498753242.0000025724950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2508621713.0000025724B72000.00000002.00000001.01000000.00000039.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.00000257251D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.000002572569D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2499259169.000002572499C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2499259169.0000025724A1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.00000257253B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2557336050.000002573D956000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.0000025725340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000000.2467778137.0000025724702000.00000002.00000001.01000000.0000002C.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.00000257251C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2499259169.00000257249D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2557336050.000002573D938000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.0000025725246000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2499259169.0000025724990000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.000002572568A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2513968127.0000025725151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:52
                                                                                                      Start time:04:34:16
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:53
                                                                                                      Start time:04:34:17
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                      Imagebase:0x7ff665ff0000
                                                                                                      File size:69'632 bytes
                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2761532899.000001EEB5A5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2712411884.000001EEB63BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2708574073.000001EEB62F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2762831476.000001EEB5A72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2762831476.000001EEB5A7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2761629412.000001EEB5A70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2756326038.000001EEB62F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2761904787.000001EEB5A7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000003.2761479064.000001EEB63BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2762958866.000001EEB63BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:54
                                                                                                      Start time:04:34:17
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "78953d77-04f4-4927-96f2-48ea76bda9be" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x1fa27190000
                                                                                                      File size:53'296 bytes
                                                                                                      MD5 hash:6E034C46991A649567D61B8124D6E59F
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2646156772.000001FA403E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2561695236.000001FA27294000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2561695236.000001FA2722B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2561695236.000001FA27210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA27DE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2561695236.000001FA27218000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA27DE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000000.2478544507.000001FA27192000.00000002.00000001.01000000.0000002F.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA27C0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA27C66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA27B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2649011701.000001FA40620000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA281BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA280FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2561695236.000001FA2724D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2583833655.000001FA275A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2644987662.000001FA40350000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2561695236.000001FA27251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2592249923.000001FA27E2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:55
                                                                                                      Start time:04:34:18
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:56
                                                                                                      Start time:04:34:18
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding AF7E4A1B0B1155AB835243F849AD2B99 E Global\MSI0000
                                                                                                      Imagebase:0x850000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:57
                                                                                                      Start time:04:34:18
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI3699.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6043765 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                      Imagebase:0xef0000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2492428504.00000000046DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:59
                                                                                                      Start time:04:34:20
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI3E3B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6045265 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                      Imagebase:0xef0000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2614896906.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000003.2506238221.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2614896906.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:60
                                                                                                      Start time:04:34:23
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 62ae0c2e-ffb4-481a-8335-a07d991966c0 "211dffe3-b620-4fa7-85bc-a6b32d161c63" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LYyQnIAL
                                                                                                      Imagebase:0x1f3eca70000
                                                                                                      File size:51'248 bytes
                                                                                                      MD5 hash:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000000.2539693932.000001F3ECA72000.00000002.00000001.01000000.00000041.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2561170507.000001F3ECBEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2583145852.000001F3ECDE2000.00000002.00000001.01000000.00000045.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2561170507.000001F3ECC21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2561170507.000001F3ECBE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2580782027.000001F3ECD20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2561170507.000001F3ECC6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2553475532.000001F380001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:61
                                                                                                      Start time:04:34:24
                                                                                                      Start date:29/08/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 07441630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q
                                                                                                        • API String ID: 0-355816377
                                                                                                        • Opcode ID: 5ac29f68f6116e3bdaa546e5840126f1adcf399e7eec697b93f29e640994a152
                                                                                                        • Instruction ID: 3338c1bbb95b484bb9e0d9c78cacbf926699a6e2ab6065abd3040f5bb4dc279d
                                                                                                        • Opcode Fuzzy Hash: 5ac29f68f6116e3bdaa546e5840126f1adcf399e7eec697b93f29e640994a152
                                                                                                        • Instruction Fuzzy Hash: 6551E0B1B002099FE714DF78D8406EEBBB6BFC8210B14802BD908DB364DA349D82CB91
                                                                                                        Function 07441080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 5d61d6a619ff50b5daf1e18bf5f56a2a467f3a407fa702b1577291db5c8bee03
                                                                                                        • Instruction ID: dfa7b463c430cfd7038b7492fc5fa54393a1339af2125750527cd269c9ee8cff
                                                                                                        • Opcode Fuzzy Hash: 5d61d6a619ff50b5daf1e18bf5f56a2a467f3a407fa702b1577291db5c8bee03
                                                                                                        • Instruction Fuzzy Hash: 8B71C575B10218CFEB189BB5D8546AEBBB7BFC8200F14842AE506EB3B4DE75DC429741
                                                                                                        Function 07440E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: aeb122223b0faafb3b1e783b379c66b150b1f9956a660a7fc6a84cd3fa28bf5d
                                                                                                        • Instruction ID: a75f279d943b7ee4e3337a0380548bd3e8801a1459d57e71c11851655e742b5f
                                                                                                        • Opcode Fuzzy Hash: aeb122223b0faafb3b1e783b379c66b150b1f9956a660a7fc6a84cd3fa28bf5d
                                                                                                        • Instruction Fuzzy Hash: 2F414075B501099BE718AA65D8A57EF67DAEFC4210F10843FE506EB390CD749C029392
                                                                                                        Function 07440C1C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: d074e65bd217c3949085df22be601f79ecfc56e70736de2999ff1279151560d0
                                                                                                        • Instruction ID: 7e90e033919dc7f4fe9bcdb2215afdaf25b16e7b023656157ada34d15adc04cd
                                                                                                        • Opcode Fuzzy Hash: d074e65bd217c3949085df22be601f79ecfc56e70736de2999ff1279151560d0
                                                                                                        • Instruction Fuzzy Hash: 1F5158706082489FEB089B64D8557EE7FF6AFC9310F14445BE506EB3A1CE394C46C791
                                                                                                        Function 07442644 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 77c579c6a47a80f1dc7bf52d727b05ad3b7ba372f807fa2b9e3d3e271c082a13
                                                                                                        • Instruction ID: 9a5fd38be195e13d3f53fe6acda70010a96d5bb6d7aa62c7812a2069e045a38f
                                                                                                        • Opcode Fuzzy Hash: 77c579c6a47a80f1dc7bf52d727b05ad3b7ba372f807fa2b9e3d3e271c082a13
                                                                                                        • Instruction Fuzzy Hash: 1B314A717193944FE7296A3568543BF7FABBFC5250F0484BBE801CB392DDA88C065392
                                                                                                        Function 07442764 Relevance: .4, Instructions: 396COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2fd0a371bd2e98e1c3a99dc0df3b94a87cbe876e86932e35e6affbcb5a783110
                                                                                                        • Instruction ID: 7729a7df5140db30aa7b8cad4b81a818affd7bad18127c57833cdf40a2cdb9c5
                                                                                                        • Opcode Fuzzy Hash: 2fd0a371bd2e98e1c3a99dc0df3b94a87cbe876e86932e35e6affbcb5a783110
                                                                                                        • Instruction Fuzzy Hash: B4E092B1C0A2059F9755DFB9A9411DABFF1FE55218B2087BFC459D2210E63685038B91
                                                                                                        Function 074423B8 Relevance: .2, Instructions: 178COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a725b5f78a1c1c5338f175e99c9819148041895f2b8d9fdc72d81e85d52a03c0
                                                                                                        • Instruction ID: 3ad34918a082ee52bc0dd32e88a0c1ab52951e17b35cfc5a034668e738a261b9
                                                                                                        • Opcode Fuzzy Hash: a725b5f78a1c1c5338f175e99c9819148041895f2b8d9fdc72d81e85d52a03c0
                                                                                                        • Instruction Fuzzy Hash: 6451FFB1B052128FD710CB68D890AABBBB1FF49314F1681A7E518CB362DB71DD42CB91
                                                                                                        Function 07441F08 Relevance: .1, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4fadc33cc13e35371e3b3dbf372a5a549859016bbead5a9c197f13f71c8ab4dd
                                                                                                        • Instruction ID: 7f0b61151e36519afd7931528fe0fdaa67ad0289d83eeae3210edde92e7ae176
                                                                                                        • Opcode Fuzzy Hash: 4fadc33cc13e35371e3b3dbf372a5a549859016bbead5a9c197f13f71c8ab4dd
                                                                                                        • Instruction Fuzzy Hash: C6316DB67083495FE71556317C526AE7F9A9BC115470840ABFB08CF352DE295843D3E1
                                                                                                        Function 07442268 Relevance: .1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cebbed6d8651de2ac7421bec6bc8eb06f76b084a3a247171e82d918de6c19747
                                                                                                        • Instruction ID: 65a25bac7447529d5255e4f0dc2cd599b77473641acad8093bde6847ac446925
                                                                                                        • Opcode Fuzzy Hash: cebbed6d8651de2ac7421bec6bc8eb06f76b084a3a247171e82d918de6c19747
                                                                                                        • Instruction Fuzzy Hash: BD41F775B10218DFDB54DF69D88099EBBB2FF88610B14816AE905EB360DB31DD42DB90
                                                                                                        Function 07442664 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4175087e25ec696303ba8e4fb202f2c86573302369fc074978f0c4c4f1880ac5
                                                                                                        • Instruction ID: 41d012f32fe91c2bca746432c47a4fd4e33b134d339481172a60cb12059e147c
                                                                                                        • Opcode Fuzzy Hash: 4175087e25ec696303ba8e4fb202f2c86573302369fc074978f0c4c4f1880ac5
                                                                                                        • Instruction Fuzzy Hash: 3421C0B26873659FF301167178543FB7F54FB82221F1049B7FE58C7261C9688886A3A2
                                                                                                        Function 07441050 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 54f1b38f1601a934bbf422144920649b1d8a450083f68736bf26fd4b43da76f8
                                                                                                        • Instruction ID: e04d167ce16e73ed8d0da0ed4e1035fcf5d59be0f461f61f3db721760648d218
                                                                                                        • Opcode Fuzzy Hash: 54f1b38f1601a934bbf422144920649b1d8a450083f68736bf26fd4b43da76f8
                                                                                                        • Instruction Fuzzy Hash: 6E217872B002588BEB009B78DD946EEBBAAEF88204F044067D906C7351DA34C9478790
                                                                                                        Function 07440D4C Relevance: .1, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 13fcffe7f9fba8b6d6f899236abf9656397e4158fbb65cdc4987957718be736c
                                                                                                        • Instruction ID: f62d8853ea3a24bf63cf313091382c93ebedd576c5db81dd113896eae542490a
                                                                                                        • Opcode Fuzzy Hash: 13fcffe7f9fba8b6d6f899236abf9656397e4158fbb65cdc4987957718be736c
                                                                                                        • Instruction Fuzzy Hash: EB1159723092544FC3059B7CA8617AE7FAEDFC1610F0448ABE14ADB2A5DE34CC4583A6
                                                                                                        Function 07442258 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6c4cad54ce9a385ba16486fe461b9ebe7ec0340be72453639d575823f561c9c2
                                                                                                        • Instruction ID: 6c38bb3ce36063a9d965bf3f5cb549e2217259c4b1bea90adde1eb3f8e7002e1
                                                                                                        • Opcode Fuzzy Hash: 6c4cad54ce9a385ba16486fe461b9ebe7ec0340be72453639d575823f561c9c2
                                                                                                        • Instruction Fuzzy Hash: AD211A75A10214DFCB44DFA9D8809DEBBB2FF8C711B10816AE905EB360D7319842CF90
                                                                                                        Function 07442CC1 Relevance: .1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2c359e275cd2f3bc670e054b8c0a25b41889b7e0ef4a3ab047f590c102ec06ac
                                                                                                        • Instruction ID: 724f11169bfe7951179cd771a9c4cdd95a5272a5bd7553c3275f72a8b5ae06e2
                                                                                                        • Opcode Fuzzy Hash: 2c359e275cd2f3bc670e054b8c0a25b41889b7e0ef4a3ab047f590c102ec06ac
                                                                                                        • Instruction Fuzzy Hash: 3611D271A50204DFEB04DB64C891AED7BB6AFCC310F10401AE409A7390CF7A5886DB91
                                                                                                        Function 07441958 Relevance: .1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f7ecdd6f359e0923f7669cbe4271ff59de262583826ea04c1fb98f67d3bc876a
                                                                                                        • Instruction ID: 9dcdca91e6bad8fe82ad86a4ea709468690a289e00fc767312174cb2f726f02c
                                                                                                        • Opcode Fuzzy Hash: f7ecdd6f359e0923f7669cbe4271ff59de262583826ea04c1fb98f67d3bc876a
                                                                                                        • Instruction Fuzzy Hash: 94114235614204AFDB08CF64D895AADBFBAEF8C325F148059E809E7361CF795846CB90
                                                                                                        Function 07442CC8 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a471cd093e61ba27917bfac586310f5f9dd2b69e40d70fc3d86e3bb217ef6f97
                                                                                                        • Instruction ID: 895268df3fd94c72e12d8ea47b8d3bf7bf2ec7e952bcef58d31a368fa82a97c5
                                                                                                        • Opcode Fuzzy Hash: a471cd093e61ba27917bfac586310f5f9dd2b69e40d70fc3d86e3bb217ef6f97
                                                                                                        • Instruction Fuzzy Hash: AC118770A54204DFEB04DB55C891AAD7BB6AFCC310F14401AE509A7390CF795C86D791
                                                                                                        Function 07441378 Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ef64d9d9f93fa47e0e1ac3843ed8625043c97d16367ee364ff17ca66e22a854c
                                                                                                        • Instruction ID: 7e1235c4ec79ae281da670d6d110d4ffffeb8464bdf4f7070c2dc55e10bf0edb
                                                                                                        • Opcode Fuzzy Hash: ef64d9d9f93fa47e0e1ac3843ed8625043c97d16367ee364ff17ca66e22a854c
                                                                                                        • Instruction Fuzzy Hash: 602102B0D002498EDB10DFAAC480AEEFBF0FF88324F10842ED859A7240C774A945CFA5
                                                                                                        Function 07441380 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a0a6ae57de7b6a28bc5e8cdd13d3ca8465b93b605dcfada78ab3ad1ba9ca3df
                                                                                                        • Instruction ID: 764df6a8125763d023dd0f385601732f483f23140bb27cda03d9a058b8a3d3ea
                                                                                                        • Opcode Fuzzy Hash: 2a0a6ae57de7b6a28bc5e8cdd13d3ca8465b93b605dcfada78ab3ad1ba9ca3df
                                                                                                        • Instruction Fuzzy Hash: 4A1103B5D042498FDB10DFAAC480AEEFBF4FF88324F10842AD459A7250C7746945CFA5
                                                                                                        Function 07441968 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f317ab7d6a45cd0ec2cd7c50612b341ad2f9bb0cb81b05195e533a5a55516e53
                                                                                                        • Instruction ID: ce2905560232eeccb641813cf9ac4a5301649ef6e320d6f731304e1356cef0cb
                                                                                                        • Opcode Fuzzy Hash: f317ab7d6a45cd0ec2cd7c50612b341ad2f9bb0cb81b05195e533a5a55516e53
                                                                                                        • Instruction Fuzzy Hash: D6114231614205AFDB08DF64D895AAD7FBAEF8C315F144019F909E7360CF795846CB90
                                                                                                        Function 07441440 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 781f6532b099edb62e49d868ebf98384e2e6a2381cbc01cb5c58e332de693e13
                                                                                                        • Instruction ID: 6f18ac7661770e6210c79b608a66b62513071a391e995f7b6e718fa0a03c113d
                                                                                                        • Opcode Fuzzy Hash: 781f6532b099edb62e49d868ebf98384e2e6a2381cbc01cb5c58e332de693e13
                                                                                                        • Instruction Fuzzy Hash: B801D8706593490FDB098F34AD7512A3FE99F8250470908EBD549CF272FA29C84A8392
                                                                                                        Function 0744182A Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9733f4ea39c7d1f9f35959520b3fee42a09a61dab1b591e9ee773c8f8ef515df
                                                                                                        • Instruction ID: 77e7376241391e97d7b7e81ae781629e683c534e17840f90461455749eaed916
                                                                                                        • Opcode Fuzzy Hash: 9733f4ea39c7d1f9f35959520b3fee42a09a61dab1b591e9ee773c8f8ef515df
                                                                                                        • Instruction Fuzzy Hash: 7E01F2B2A1010987FB18DA69C5917FF7AF6ABC8300F24846FD101E7790CE744C019BA2
                                                                                                        Function 035CD01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1791774395.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_35cd000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ffb147078c415309e39f4e54f4faee0a68dc5314808e535edff5f582c816239d
                                                                                                        • Instruction ID: 200c1014acf1f33da8f627b773a8129b42f76dda6bbb0702d80012489c0f8161
                                                                                                        • Opcode Fuzzy Hash: ffb147078c415309e39f4e54f4faee0a68dc5314808e535edff5f582c816239d
                                                                                                        • Instruction Fuzzy Hash: 6A01D4710083809EE710CA6AED84767BFE8EF41328F08C57EEC489A156D2799841C6B1
                                                                                                        Function 035CD006 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1791774395.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_35cd000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 49c2f6cae8051ca22243bc8eb1f9fe1c297a4579ad546eedc954ed0348c7c625
                                                                                                        • Instruction ID: bf6e1b5250b61454790aa3f01f8011ab6c76d24383cb686cb613b860d663b935
                                                                                                        • Opcode Fuzzy Hash: 49c2f6cae8051ca22243bc8eb1f9fe1c297a4579ad546eedc954ed0348c7c625
                                                                                                        • Instruction Fuzzy Hash: EE01407100D3C09ED7128B25DC94B52BFB4EF43224F1D81DBD8889F1A3D2699844C772
                                                                                                        Function 074425D1 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: afccb01442702d5f0303fecde22d5383709e066b2e7c28941f8a00ed5a96cdd7
                                                                                                        • Instruction ID: 3935b9b5d87e1c30cf2a3393cce20720b0cffe084c1a00bd17003a9f82e5d06c
                                                                                                        • Opcode Fuzzy Hash: afccb01442702d5f0303fecde22d5383709e066b2e7c28941f8a00ed5a96cdd7
                                                                                                        • Instruction Fuzzy Hash: B8F02437B241804BCB0D8624E0541FEBB76EBC9225F20817FD557A3680EE75090BCB81
                                                                                                        Function 07441431 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 728bacb79617b576eda4edbf025ebc7f0ee374be057e2057b8aa4365aa661e88
                                                                                                        • Instruction ID: 7a9d1c99e536cd4c5faf096801842fc9a428c65adc09b76d76c59eea13d576a8
                                                                                                        • Opcode Fuzzy Hash: 728bacb79617b576eda4edbf025ebc7f0ee374be057e2057b8aa4365aa661e88
                                                                                                        • Instruction Fuzzy Hash: 10F0C8B06583050FEB098B74596615A3F99EFC165470908EBD145CF261FA25C44283D2
                                                                                                        Function 07442AA5 Relevance: .0, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 07172420a6ee2d009e96bc818d8208b461b60e8a42e65576f7fa2ba919873245
                                                                                                        • Instruction ID: 7b5dea8452d14f76cf7f78cd3cf9536abf2d981654e4bda92b35e78c714add44
                                                                                                        • Opcode Fuzzy Hash: 07172420a6ee2d009e96bc818d8208b461b60e8a42e65576f7fa2ba919873245
                                                                                                        • Instruction Fuzzy Hash: 51F0A0B730421147E728991794C5BBF639BBFD8261B08802FFE0893340DAB88802A2A4
                                                                                                        Function 07442654 Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 79e87370c838f6d78ab10ace2c8eca262f703a71c182f217bf150ad86e41259e
                                                                                                        • Instruction ID: eb851ee1c1dea97ae5646eeb4aea3b5d70590db85bc576e50c3c0d20bc85b5d0
                                                                                                        • Opcode Fuzzy Hash: 79e87370c838f6d78ab10ace2c8eca262f703a71c182f217bf150ad86e41259e
                                                                                                        • Instruction Fuzzy Hash: 37E092B07147AA12FB382D6955107F7A6CE6B89604F000C3BF801C7742D8C0E84133E2
                                                                                                        Function 074425E0 Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fc45649690d467d504814e3d253c21c6fd75444d6b5420bd1d76311c23711107
                                                                                                        • Instruction ID: 0896fc4255af887652ea2aa0f6f596eae29b0009f0e9874b5272e3e8871644f6
                                                                                                        • Opcode Fuzzy Hash: fc45649690d467d504814e3d253c21c6fd75444d6b5420bd1d76311c23711107
                                                                                                        • Instruction Fuzzy Hash: B6E0E532F1415497CB0D9A69E4544EEB77AEBC9210F11803AE916B3340EF745D0ACB91
                                                                                                        Function 074415C0 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ba9d6f1b6f3f4ba1bbb234c904ab44a374cd9f9f5fcf50daef5b3324dd825fe9
                                                                                                        • Instruction ID: 68b60ff245dd0d67b0ce0381e1b2a14e0a4737d4aaa6bba708dbdda47f3a0ddf
                                                                                                        • Opcode Fuzzy Hash: ba9d6f1b6f3f4ba1bbb234c904ab44a374cd9f9f5fcf50daef5b3324dd825fe9
                                                                                                        • Instruction Fuzzy Hash: 2FD0C2327003149F8704DEB9981159E7FED9F40160700446EA44EC7240EE30E8404395
                                                                                                        Function 07442590 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d43a65b2977a3f1c31cb0e1c94f527a81ce08ea906ff0947e8f39fd2bfeeb334
                                                                                                        • Instruction ID: d37bebd84763f256af1d30b31b764dd5ec5f77f45db3d24eafffcad50440ae40
                                                                                                        • Opcode Fuzzy Hash: d43a65b2977a3f1c31cb0e1c94f527a81ce08ea906ff0947e8f39fd2bfeeb334
                                                                                                        • Instruction Fuzzy Hash: F5E0C27210A2404FE302E3B4BC416CD7F60FB812143075A97D0D28B223EE14954A83D6
                                                                                                        Function 074417F0 Relevance: .0, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fb0766c10a2b65fe57b95332ced97fd4ddb3b9aa8d6d8d09189f10128b1b3fce
                                                                                                        • Instruction ID: 882695e5f6c6d777a51130fc711b4cbcad17f763c9348c15a14b931a73e6cd59
                                                                                                        • Opcode Fuzzy Hash: fb0766c10a2b65fe57b95332ced97fd4ddb3b9aa8d6d8d09189f10128b1b3fce
                                                                                                        • Instruction Fuzzy Hash: E9D02B3B10A1408FD30B5B10E8524D53F31F7591213080097E68187361CA380D15D791
                                                                                                        Function 07442A58 Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bc28a32368c03795818077119985bea71b8ad891470080fe39e7dc60f85323a5
                                                                                                        • Instruction ID: 0d361260e87eb2dae171c41caf0ae5074c418b7ed2b01d46c9bb9687b6425c8e
                                                                                                        • Opcode Fuzzy Hash: bc28a32368c03795818077119985bea71b8ad891470080fe39e7dc60f85323a5
                                                                                                        • Instruction Fuzzy Hash: 81E012B0D01309DF8744EFB9850155ABBF5BF49204F1085AED80CD7200F7729602CB91
                                                                                                        Function 07442220 Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f1b00581a5883015e5d8fdf9a1238147357c788976f63ec96ac2925f53f56b43
                                                                                                        • Instruction ID: 85ccf075aae5314e3a2f7fb713da8d4d831407eb887b0cb88f7594abc9292035
                                                                                                        • Opcode Fuzzy Hash: f1b00581a5883015e5d8fdf9a1238147357c788976f63ec96ac2925f53f56b43
                                                                                                        • Instruction Fuzzy Hash: DDD0C9F12C170D99F71821A268157F732896B81614F90006FEA0D196E19DFA68D0E1A3
                                                                                                        Function 07440C0C Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: eb53ff290684c9628fd18212d9f40d26b3522193250994da0c41fa364547aa0f
                                                                                                        • Instruction ID: 85224b66ebb47bf0d24a0f95ef5b7413c8eb9c937bd59a6b43edbd83bd28d9a0
                                                                                                        • Opcode Fuzzy Hash: eb53ff290684c9628fd18212d9f40d26b3522193250994da0c41fa364547aa0f
                                                                                                        • Instruction Fuzzy Hash: 34D0A73226011CAB47086619DC858AABB69E7952617504477FB0283234DD606C5197A6
                                                                                                        Function 07440440 Relevance: .0, Instructions: 11COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: aacba8f338ba41866bcacbfabc3e4120158cc9a33df605d72e55b06426814dd3
                                                                                                        • Instruction ID: c77a66adafd2f006e10b9f047c5d913589492c98f119e51f83bd5835a8312ca0
                                                                                                        • Opcode Fuzzy Hash: aacba8f338ba41866bcacbfabc3e4120158cc9a33df605d72e55b06426814dd3
                                                                                                        • Instruction Fuzzy Hash: 69C0123602E2C00FDB028AA08881080BF70BA6221935E83EBD092C9413C25C848AC3B2
                                                                                                        Function 074421F5 Relevance: .0, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1790521151.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_7440000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 827614ff89456d646d0f6c5fa3d5c555de984df178fc410f2d94aada048a77a7
                                                                                                        • Instruction ID: 4a52b47c867824ce77deb8f2964756713e1e0d4b69d09f45cb453e35db173620
                                                                                                        • Opcode Fuzzy Hash: 827614ff89456d646d0f6c5fa3d5c555de984df178fc410f2d94aada048a77a7
                                                                                                        • Instruction Fuzzy Hash: FEC04C704052458FC3158B60C8605A03765BF42108398449BD1098A2A2C67A9843D609

                                                                                                        Executed Functions

                                                                                                        Function 04F77678 Relevance: 8.2, Strings: 6, Instructions: 726COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839930245.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4f70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Pl^q$Pl^q$Pl^q$Pl^q$Pl^q$x cq
                                                                                                        • API String ID: 0-1040424049
                                                                                                        • Opcode ID: 72484da75f4782c4e88219218eefdf02dd280bf1986c6b222f22a1568e3b3919
                                                                                                        • Instruction ID: daff22faa1ec1c4034101acb1893e0870a86a624b5fba2cb356c7ce9f15e391d
                                                                                                        • Opcode Fuzzy Hash: 72484da75f4782c4e88219218eefdf02dd280bf1986c6b222f22a1568e3b3919
                                                                                                        • Instruction Fuzzy Hash: 29526A34B406048FD714EF79C584A6ABBE2BFC8704B25886AD446CB375EE75FC428B90
                                                                                                        Function 04F70040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839930245.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4f70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: \;^q
                                                                                                        • API String ID: 0-2342212615
                                                                                                        • Opcode ID: b87a5fdfccac8337af5c2d2c5f87f9165c4905c80fa2fca52241a16770581240
                                                                                                        • Instruction ID: aed56da3e5671f6f2f25198228420ae4567445cf2376d1cf6a20d3f0381f34a0
                                                                                                        • Opcode Fuzzy Hash: b87a5fdfccac8337af5c2d2c5f87f9165c4905c80fa2fca52241a16770581240
                                                                                                        • Instruction Fuzzy Hash: 0A225E30E10219CFDB14DF74C854A9DBBB2FF89304F1186AAD846BB255EF74A985CB50
                                                                                                        Function 04E7746A Relevance: 20.9, Strings: 16, Instructions: 911COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                        • API String ID: 0-3238858861
                                                                                                        • Opcode ID: 673925ceb4e08257c18d55ab097497db1a2a43853106d814be4572ec476a16e2
                                                                                                        • Instruction ID: 9dbb5493c20e3c50015787bb824cdaec4b3424a32b814fb00690954d85a14a57
                                                                                                        • Opcode Fuzzy Hash: 673925ceb4e08257c18d55ab097497db1a2a43853106d814be4572ec476a16e2
                                                                                                        • Instruction Fuzzy Hash: EFA2F934A4021CDFDB259FA0C954AEEBBB2FF89300F1045E9D5096B264DB769E85CF81
                                                                                                        Function 04E774C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                        • API String ID: 0-3238858861
                                                                                                        • Opcode ID: 8ca266a6737cafad5b60c16eb08a45f3b12969ad09a04a85b8dd9cd3398a5ad0
                                                                                                        • Instruction ID: 1efd6ded3eb18349bf1c99a4e820b11bf284f49c67e43a8c089dc2735c86eacd
                                                                                                        • Opcode Fuzzy Hash: 8ca266a6737cafad5b60c16eb08a45f3b12969ad09a04a85b8dd9cd3398a5ad0
                                                                                                        • Instruction Fuzzy Hash: 7D92EA34A4021CDFDB259FA0C954AEEBBB2FF89300F1045E9D5096B264DB769E85CF81
                                                                                                        Function 04E7B9F8 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq$(bq$(bq$(bq
                                                                                                        • API String ID: 0-2632976689
                                                                                                        • Opcode ID: b44d0a6d0f138b6a7e6ec78b4e492bfb3fded46bc10dc5657a11c323ff63268b
                                                                                                        • Instruction ID: c7472fa6c6a762efcf235798f24f3e2011a87321d274c1f479a25d47ec3ef2dd
                                                                                                        • Opcode Fuzzy Hash: b44d0a6d0f138b6a7e6ec78b4e492bfb3fded46bc10dc5657a11c323ff63268b
                                                                                                        • Instruction Fuzzy Hash: 9681E335B001148FDB04EF79D45469E7BE6EF89364B1480BAE90ADB3A4EE35EE01C791
                                                                                                        Function 04E7B688 Relevance: 4.0, Strings: 3, Instructions: 220COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq$\;^q$|]q
                                                                                                        • API String ID: 0-2188306192
                                                                                                        • Opcode ID: 86b0f50068c4980e2c08c04c6f3857a2c3e5bf19a8a3003b2fe6e2baace89caf
                                                                                                        • Instruction ID: 43fe0ff567bbe249a4b87bf79f6f47501f75b7ae3f84caf31a5c8d169cff1c6e
                                                                                                        • Opcode Fuzzy Hash: 86b0f50068c4980e2c08c04c6f3857a2c3e5bf19a8a3003b2fe6e2baace89caf
                                                                                                        • Instruction Fuzzy Hash: 6361F675B441164FE7149B7A99506BFB7EBBFC436CB10802AD801D73A8EE38EC028791
                                                                                                        Function 04E785C0 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq$d
                                                                                                        • API String ID: 0-3334038649
                                                                                                        • Opcode ID: a9a66a84d885b55988471a72db9dc173f67a6f74031f068ec4316c60993d011b
                                                                                                        • Instruction ID: 2a46a7a163c6891542b70f8ef15462d11b179702ec33c3fd71c2bf9accd79d12
                                                                                                        • Opcode Fuzzy Hash: a9a66a84d885b55988471a72db9dc173f67a6f74031f068ec4316c60993d011b
                                                                                                        • Instruction Fuzzy Hash: 84F19C34A006058FD720DF59C48496ABBF2FF88328B25DA69D49ADB765D730FC46CB90
                                                                                                        Function 04E71630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q
                                                                                                        • API String ID: 0-355816377
                                                                                                        • Opcode ID: 3fc29be549be12a690cf38a9c676aabe78b7c342ae8df5ef188a7743d3406c9f
                                                                                                        • Instruction ID: 4be166152851a4e44bb2f6a32583721f4cec0c53a860f8a46009df7962eb41a8
                                                                                                        • Opcode Fuzzy Hash: 3fc29be549be12a690cf38a9c676aabe78b7c342ae8df5ef188a7743d3406c9f
                                                                                                        • Instruction Fuzzy Hash: B451D231B003099FC715DFB8D8406AEBBF6BFC9360B14856AE914DB364DA34AD06C791
                                                                                                        Function 04E7A228 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq$(bq
                                                                                                        • API String ID: 0-4224401849
                                                                                                        • Opcode ID: 0e3c6ef70e476bc797958e56cb4879387c04e7bfc314e0a4929c3fce4723bf24
                                                                                                        • Instruction ID: b3a9aaa5edb11eb526a07e9df64e70ba34f6b1cea0c39feab019b79958e0f3fb
                                                                                                        • Opcode Fuzzy Hash: 0e3c6ef70e476bc797958e56cb4879387c04e7bfc314e0a4929c3fce4723bf24
                                                                                                        • Instruction Fuzzy Hash: D541D834B042549FD715DF69C854BAE7FF2EF89320F2481A9D405AB355DA35ED02CB90
                                                                                                        Function 04E73747 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq$LR^q
                                                                                                        • API String ID: 0-516514815
                                                                                                        • Opcode ID: b416d4890b36f3d5cf3431128d1ed21dc8577171920b8d3775f86f503524f240
                                                                                                        • Instruction ID: 1f3f97cba63ce448dce850eb99196a5bf6a9a607f808aa7238d148fc1ec576a2
                                                                                                        • Opcode Fuzzy Hash: b416d4890b36f3d5cf3431128d1ed21dc8577171920b8d3775f86f503524f240
                                                                                                        • Instruction Fuzzy Hash: 72414875B042544FEB49DF78985427E3BA7EFC1224B14846EE802DB3D5EE39AC06C780
                                                                                                        Function 04E799B8 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 5817c0a69295ae0a91f1325cc70a908365ea44dbc532a640142ea2aa4ef42411
                                                                                                        • Instruction ID: 6b71886be38f3d2c26c3284c315e53bfdacc2c6c15ad812642464df948fd9d8b
                                                                                                        • Opcode Fuzzy Hash: 5817c0a69295ae0a91f1325cc70a908365ea44dbc532a640142ea2aa4ef42411
                                                                                                        • Instruction Fuzzy Hash: A4E18C74A003598FDB05CFA8C884A9DBBF2FF89314F148195D849AB3A6DB74ED46CB50
                                                                                                        Function 04E76C20 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 3ea9db202853b119f53890a11ae1e3959ae87938ad453f667304f9cd30b4f71b
                                                                                                        • Instruction ID: 8b6dae620356d7e1bc8dfcb1a695e5674da15ef4bee2587c829bf6ec902d1521
                                                                                                        • Opcode Fuzzy Hash: 3ea9db202853b119f53890a11ae1e3959ae87938ad453f667304f9cd30b4f71b
                                                                                                        • Instruction Fuzzy Hash: 89C19E30B006158FC718DF79C48456EBBE2FF88724B249969E4469B355DB34FC468B91
                                                                                                        Function 04E7E1F0 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (Acq
                                                                                                        • API String ID: 0-1548273396
                                                                                                        • Opcode ID: 281d8cb7b5a4f5c2036b56b6231a9bb5e99fc76025602a9cbe086c5b6583fd2d
                                                                                                        • Instruction ID: 0a49f8c54c94573c1dc5a4a6e9808e4733635852fca735ba1511aeda7b127406
                                                                                                        • Opcode Fuzzy Hash: 281d8cb7b5a4f5c2036b56b6231a9bb5e99fc76025602a9cbe086c5b6583fd2d
                                                                                                        • Instruction Fuzzy Hash: 50C15D30B002199FDB18DFA9D494AAEBBB6BF84314F145469E406EB394EB74EC06CB51
                                                                                                        Function 04F79FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 04F79FF8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839930245.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4f70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 6842923-0
                                                                                                        • Opcode ID: 76e6671c65a7f8777a867aa7897d26828d9beb826984f644da6ef5348d2781ec
                                                                                                        • Instruction ID: 4ed13c0d21a8abf6286937739ecba72012bead36a760ec964760399f63b47c78
                                                                                                        • Opcode Fuzzy Hash: 76e6671c65a7f8777a867aa7897d26828d9beb826984f644da6ef5348d2781ec
                                                                                                        • Instruction Fuzzy Hash: 2C110A36E01208DFEB14CA79D4407EDB7A1EB89328F258926D51553290E63EB90ACB50
                                                                                                        Function 04F79FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 04F79FF8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839930245.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4f70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 6842923-0
                                                                                                        • Opcode ID: 3d0ea571847d4bb43cb56427f57a008aceb92a6c88a08d6f8f52d5c8376c2b4e
                                                                                                        • Instruction ID: 4e8bcef3faa08568e7cf91286578837a6f27bd1e82b3f9dc3cd0a3de0b907a90
                                                                                                        • Opcode Fuzzy Hash: 3d0ea571847d4bb43cb56427f57a008aceb92a6c88a08d6f8f52d5c8376c2b4e
                                                                                                        • Instruction Fuzzy Hash: B3112932E012049FDB24CE34D4847EDB7A2EF88368F158916C91563190EB3EB90BCB90
                                                                                                        Function 04E757B8 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: fcb5472e75dd964df12ac3fbaadccc3d717ac39c491d586d66988704ad1651cc
                                                                                                        • Instruction ID: 696fdd1bbe0f8f83a8645a4688e451239522e2df85af7646124a898478b84489
                                                                                                        • Opcode Fuzzy Hash: fcb5472e75dd964df12ac3fbaadccc3d717ac39c491d586d66988704ad1651cc
                                                                                                        • Instruction Fuzzy Hash: FC5175A194D3C14FD70AEB3998946887FF5EF93110B0A41EBC644CF5A7F928984BC792
                                                                                                        Function 04E71080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 95b2f26c0aa515d9474696f74b384efe27897956add4a283cc5ab1437a290e44
                                                                                                        • Instruction ID: e92bf376aa612d6585f58ad458b14046a26844d64803c29acb9a7b84969a05d1
                                                                                                        • Opcode Fuzzy Hash: 95b2f26c0aa515d9474696f74b384efe27897956add4a283cc5ab1437a290e44
                                                                                                        • Instruction Fuzzy Hash: 2571B435B00214DFDB18EBB5C954ABEBAE7AFC8320F149429D506EB3A4DE35ED428741
                                                                                                        Function 04E76048 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: f7c3a60517016ba4d43af9fd439cf55706d3bc7791f87ccd89e15e68862aaa7b
                                                                                                        • Instruction ID: 7d4542a8dbb3a6416d830e4f44dd49730b8e0e8c50b228c518526c8f408cfd42
                                                                                                        • Opcode Fuzzy Hash: f7c3a60517016ba4d43af9fd439cf55706d3bc7791f87ccd89e15e68862aaa7b
                                                                                                        • Instruction Fuzzy Hash: F2714A74A003189FEB05EBE4C9906DEBFB2FF89314F105429D2067B3A4DE35AD469B91
                                                                                                        Function 04E768E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 6a930a026e2268b65ff7abdb8fc56e98161649cac96bb104e4e491c30038fa13
                                                                                                        • Instruction ID: d27a148d57ae2573009637805e59798f0487deb4603479e2e03a1441403b2afc
                                                                                                        • Opcode Fuzzy Hash: 6a930a026e2268b65ff7abdb8fc56e98161649cac96bb104e4e491c30038fa13
                                                                                                        • Instruction Fuzzy Hash: 64616C7AB002059FCB01CF69D88099ABBF6FF8D31471581A9E949DB321DB31ED16CB90
                                                                                                        Function 04E7C4D8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: f8e5c4bb6fe352546eb725235024a8a9ebfc8ac951b6784abc0078c90d38e783
                                                                                                        • Instruction ID: 02a6755b2ac9bc9edd2619a0fad3aacfaecb77cb972e7b21b2d860c2c030bf6a
                                                                                                        • Opcode Fuzzy Hash: f8e5c4bb6fe352546eb725235024a8a9ebfc8ac951b6784abc0078c90d38e783
                                                                                                        • Instruction Fuzzy Hash: 9A51F2307047418FD325CB29D48896AFBF6EFC5314B18CA69D44A8B766DA35FC06CB91
                                                                                                        Function 04E7E428 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (Acq
                                                                                                        • API String ID: 0-1548273396
                                                                                                        • Opcode ID: 95b768d5fb16906fb49b75fc94d2dfbf8bf618660259284303a94308b578b459
                                                                                                        • Instruction ID: 57aa9fd98372ac07be00683838c106a63e241fd23ab2e0d34b002bb36bd34fa0
                                                                                                        • Opcode Fuzzy Hash: 95b768d5fb16906fb49b75fc94d2dfbf8bf618660259284303a94308b578b459
                                                                                                        • Instruction Fuzzy Hash: 6D419E70B002159FDB18DFA9D894AAEBBF6BF88314B105469D412EB354EF74AC06CB91
                                                                                                        Function 04E7E438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (Acq
                                                                                                        • API String ID: 0-1548273396
                                                                                                        • Opcode ID: ce9d1fe515762fc7c7d8c3863cd016f669cf310019d876dd463e24ac20390755
                                                                                                        • Instruction ID: 510e3257c9fbb2c1ba7bc5e6b76d382f32dba976a051515c13fbcffa9f4f022c
                                                                                                        • Opcode Fuzzy Hash: ce9d1fe515762fc7c7d8c3863cd016f669cf310019d876dd463e24ac20390755
                                                                                                        • Instruction Fuzzy Hash: 9D417C30B002159FDB18DFA9D894AAEBBF6BF88214F104469E412AB354EF74AC05CB91
                                                                                                        Function 04E7EA88 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 4c861fd5df73bf5f76909470307ce718d75f8784d462a9382b7d11be3134542e
                                                                                                        • Instruction ID: 26b11d918cae3dfe245e4b5311dfbf2f56bb6119523fcb54fe73fb0199cc367f
                                                                                                        • Opcode Fuzzy Hash: 4c861fd5df73bf5f76909470307ce718d75f8784d462a9382b7d11be3134542e
                                                                                                        • Instruction Fuzzy Hash: BA31DD34B002158FEB18DB7ED4909BEBBE6FBC42647104179E506DB390EE74EC028B91
                                                                                                        Function 04E785B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 0cff76a2675062bc3df4da7517bf1373fa9760f48f8fbde78e9700da5ce6c2f2
                                                                                                        • Instruction ID: eb1cb3a38735a57f18a7eefc502574a4a06d4f6cc144926cd7f6108908d8e63f
                                                                                                        • Opcode Fuzzy Hash: 0cff76a2675062bc3df4da7517bf1373fa9760f48f8fbde78e9700da5ce6c2f2
                                                                                                        • Instruction Fuzzy Hash: D841AC34A006058FDB14DF59C484A6ABBF2FF89324B159AA9D45AEB361CB34F841CB50
                                                                                                        Function 04E7858F Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: c61a745cf43b61fdf3444914a0877938d3f6d3fe8602dd7c5744176f750e1387
                                                                                                        • Instruction ID: 282ede639d9230298298268df722effccdccb28d801f377f6215369cde925e5c
                                                                                                        • Opcode Fuzzy Hash: c61a745cf43b61fdf3444914a0877938d3f6d3fe8602dd7c5744176f750e1387
                                                                                                        • Instruction Fuzzy Hash: E3419C35A006058FDB14DF59C484A6ABBF2FF99328B299969D45AEB351CB34F802CB50
                                                                                                        Function 04E70C1C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 3206a30ff9a6a1c1eb1c42071d0337dc5a9b71e25f3d100469383f860fa4260c
                                                                                                        • Instruction ID: 5a6d05310061f8f652f2f276aaf0d43d8c7eb3deb502990cf7fbd26099a92cf0
                                                                                                        • Opcode Fuzzy Hash: 3206a30ff9a6a1c1eb1c42071d0337dc5a9b71e25f3d100469383f860fa4260c
                                                                                                        • Instruction Fuzzy Hash: 73313430B083545FF719A77948243BEBBA6DB86324F14A46AD502E7386DD386C0687E2
                                                                                                        Function 04E745C8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: b8425c498ce2aa563304c0bb42491d1c7d239937899c1200f6e1a258c6d166e4
                                                                                                        • Instruction ID: 042e2c92f191f7c0f733c80ef81bb63c1c6220cace30b81d9aca9162bc93dbad
                                                                                                        • Opcode Fuzzy Hash: b8425c498ce2aa563304c0bb42491d1c7d239937899c1200f6e1a258c6d166e4
                                                                                                        • Instruction Fuzzy Hash: A12101357002009FD714DB6DD48886E7BE7EFC932571584AAE54ACB395DE35EC038B80
                                                                                                        Function 04E74F09 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q
                                                                                                        • API String ID: 0-1614139903
                                                                                                        • Opcode ID: 6b476180a0d97730f2f95aa8fa7306cc76eb615f8b39d30e2f9306288e02d886
                                                                                                        • Instruction ID: 73215035e9fdc8750e81641e172ef961a5ed73aa1ff6a5e8f1d220b1feaef457
                                                                                                        • Opcode Fuzzy Hash: 6b476180a0d97730f2f95aa8fa7306cc76eb615f8b39d30e2f9306288e02d886
                                                                                                        • Instruction Fuzzy Hash: 4F2159357002058FCB19DF6CD98099EBBE2FF8822872095A9E4559F369DB31F9068B91
                                                                                                        Function 04E7AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: \;^q
                                                                                                        • API String ID: 0-2342212615
                                                                                                        • Opcode ID: 8269917bfcb472b4e1ad46229d85a4e435fcf67f3beee581cfddd86271bc5e65
                                                                                                        • Instruction ID: 97f3f651f0d9a99607311f527a867a358dc4ef8e13f8ed247dd432cca1ebefb9
                                                                                                        • Opcode Fuzzy Hash: 8269917bfcb472b4e1ad46229d85a4e435fcf67f3beee581cfddd86271bc5e65
                                                                                                        • Instruction Fuzzy Hash: EA1173323042054F9B189AAEA98496BF7DEEFC8679314803FF50EC7758DE66EC014390
                                                                                                        Function 04E75F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LR^q
                                                                                                        • API String ID: 0-2625958711
                                                                                                        • Opcode ID: dc56576c536a4eb28108d28eb4b1bc81d0d32cbc0e7ccf5b051406325495fe20
                                                                                                        • Instruction ID: d80e719ee30440b2b20a2c0533ac013d4d6ee90145b11d662672ab8bcc0283a1
                                                                                                        • Opcode Fuzzy Hash: dc56576c536a4eb28108d28eb4b1bc81d0d32cbc0e7ccf5b051406325495fe20
                                                                                                        • Instruction Fuzzy Hash: 96215E34B101089FDB189F69C454AAEBBF6EF8C724F148019E506AB3A4DFB5AC01CF95
                                                                                                        Function 04E75F47 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LR^q
                                                                                                        • API String ID: 0-2625958711
                                                                                                        • Opcode ID: 415caa089685bce5dc3ffe4038416786476f2e80b15f6a1a398ff6e36bcd9077
                                                                                                        • Instruction ID: 64d3cfa911621f6e86464e2d23266c36ce142fb272eb7762ad74ca847ed63942
                                                                                                        • Opcode Fuzzy Hash: 415caa089685bce5dc3ffe4038416786476f2e80b15f6a1a398ff6e36bcd9077
                                                                                                        • Instruction Fuzzy Hash: 25216034B101049FDB189F69D454AAEBBF6EF8C724F108019E506AB3A4DF75AD018F95
                                                                                                        Function 04E73370 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: fcq
                                                                                                        • API String ID: 0-2768158334
                                                                                                        • Opcode ID: 9f6c81acb8b35b44996ed209a7b7a1ea6fa7ddd0cf8c1889d4f9e8fb8cf24fbd
                                                                                                        • Instruction ID: f72dd29b1286b38dfe1f4125da4caf4e6514ffacf255eb8ff5df73c57c925720
                                                                                                        • Opcode Fuzzy Hash: 9f6c81acb8b35b44996ed209a7b7a1ea6fa7ddd0cf8c1889d4f9e8fb8cf24fbd
                                                                                                        • Instruction Fuzzy Hash: 6411E771B00114AFDB189FA998449FFBBBBF7D8211B108129F905D7744DA3D8E038791
                                                                                                        Function 04E73380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: fcq
                                                                                                        • API String ID: 0-2768158334
                                                                                                        • Opcode ID: 75b8836953a758cc08315d942e8eb83aa1f4328e4b176de8a4bd5c9b0c4e87d1
                                                                                                        • Instruction ID: df03a498d56d9e10098e32134f864df072f6cd8f336b1a18a2f424d5cadb2695
                                                                                                        • Opcode Fuzzy Hash: 75b8836953a758cc08315d942e8eb83aa1f4328e4b176de8a4bd5c9b0c4e87d1
                                                                                                        • Instruction Fuzzy Hash: BE11A575B001189FCB18AFA698449BFBBB7FBC8611B108029F909D7344DE399E029B91
                                                                                                        Function 04E799A8 Relevance: .3, Instructions: 299COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 320d5ca93c4cb093d0f2c42ad9c6ff7ff64aad54720334ee3064469a8de6fc08
                                                                                                        • Instruction ID: 10cf385ef518d0770829c7915a86340cae68eb03e0e81b534c40fcd187b59c3f
                                                                                                        • Opcode Fuzzy Hash: 320d5ca93c4cb093d0f2c42ad9c6ff7ff64aad54720334ee3064469a8de6fc08
                                                                                                        • Instruction Fuzzy Hash: F4D15B74A003598FDB05CFA8C988A9DBBF2FF89314F148195D848AB36AD774ED46CB50
                                                                                                        Function 04E7D3E9 Relevance: .3, Instructions: 286COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 729a317005acb8249dfedb8068c5948d3932947b9a506015b0ef6025f3a6ae15
                                                                                                        • Instruction ID: dbc90b2ee7a105fd91bf03c210ad794fd92d8f6ee8601475403e1b5a8d9c2449
                                                                                                        • Opcode Fuzzy Hash: 729a317005acb8249dfedb8068c5948d3932947b9a506015b0ef6025f3a6ae15
                                                                                                        • Instruction Fuzzy Hash: 72B12974B0060A9FDB05DFA9D49499DBBF6FF89314B108529E80AEB364DB34ED42CB50
                                                                                                        Function 04E7D3F8 Relevance: .3, Instructions: 279COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bc88e2151244d2ebf68c27ea3ead454c766231bf2cd58a2d57d0f770588f61b3
                                                                                                        • Instruction ID: 92ae917a267f82f8d5349371f71ddb8dcdd59ef57cfa756359008d778ea2a0c7
                                                                                                        • Opcode Fuzzy Hash: bc88e2151244d2ebf68c27ea3ead454c766231bf2cd58a2d57d0f770588f61b3
                                                                                                        • Instruction Fuzzy Hash: 46B11974B0060A9FDB05DFA9D49499DBBF6FF89304B108429E80AEB364DB34ED42CB50
                                                                                                        Function 04E7BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ef9486f44921a230f9b0f65651d45e232133c9ea8890982502c4d0bc088103fc
                                                                                                        • Instruction ID: 14c59c7b75e24daa47078e2786575ed1ce528f54df67be4bd284d7d8ff3c4787
                                                                                                        • Opcode Fuzzy Hash: ef9486f44921a230f9b0f65651d45e232133c9ea8890982502c4d0bc088103fc
                                                                                                        • Instruction Fuzzy Hash: EEB19D34B006018FDB14DF39D58496AFBF2FF88214B148669E9468B369EB34FC46CB81
                                                                                                        Function 04E7B418 Relevance: .2, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ef9e513dc29c6fc446c942f29cbeb5873c60f785df587381c293bd0fdb74ed6d
                                                                                                        • Instruction ID: 16dd18b741dad9312c8bb53383d4708bced5a7aa1f2d7453e1b1cab53b815eb1
                                                                                                        • Opcode Fuzzy Hash: ef9e513dc29c6fc446c942f29cbeb5873c60f785df587381c293bd0fdb74ed6d
                                                                                                        • Instruction Fuzzy Hash: C151C06590A3D14FE703AB3898A51D67F31EF53258B0A40D7C580CF1A7E928990FC7A2
                                                                                                        Function 04E7BE33 Relevance: .2, Instructions: 191COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a47bc861d63fb677ce7d4db4f0b6af72e70adc635de2f4e34b1f0b0f55e2d331
                                                                                                        • Instruction ID: 180986a9d4a960401a6144e4296988dc8c1a3e0908d0bdba494da582cffea6f5
                                                                                                        • Opcode Fuzzy Hash: a47bc861d63fb677ce7d4db4f0b6af72e70adc635de2f4e34b1f0b0f55e2d331
                                                                                                        • Instruction Fuzzy Hash: D1718C34B002018FDB19DF39D48456EFBF2FF88214B048669E9468B369EB34EC46CB91
                                                                                                        Function 04E7ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a5515092e19e723f8120d60ebef38f913f058667ab6ccd10b4b6d7dc2e8ad0ac
                                                                                                        • Instruction ID: 0a0456a6f3af41ec5bd975ac96353cde4e49c6f31abbba7b713a8b7c4a44dd3b
                                                                                                        • Opcode Fuzzy Hash: a5515092e19e723f8120d60ebef38f913f058667ab6ccd10b4b6d7dc2e8ad0ac
                                                                                                        • Instruction Fuzzy Hash: FB5128343401018FD7189F2ED99492E7BE6AFC972A32990B9E106CB375EE71EC42DB41
                                                                                                        Function 04E7E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: db58d4205ed516cec2ccfff38c9cfd190c61a7832a79113c611b38467130ffa1
                                                                                                        • Instruction ID: 9ce8755b219f5625b93d4fa4f1196ecaaa1fadfe3ab7e62e74e59d6a98650a29
                                                                                                        • Opcode Fuzzy Hash: db58d4205ed516cec2ccfff38c9cfd190c61a7832a79113c611b38467130ffa1
                                                                                                        • Instruction Fuzzy Hash: CD61E131B002099FDB18EF6AD59466EB7F6FF88714B208168D446EB384EF74AC01CB91
                                                                                                        Function 04E7A92F Relevance: .2, Instructions: 171COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1b3e72a02ce7ca63ae06de961b0d5f7152d500e96b009b639322f08005cbc651
                                                                                                        • Instruction ID: 2d1465f9389515b449385a379b6bd6785c34dee3700c5379f0bd6a0b5a228651
                                                                                                        • Opcode Fuzzy Hash: 1b3e72a02ce7ca63ae06de961b0d5f7152d500e96b009b639322f08005cbc651
                                                                                                        • Instruction Fuzzy Hash: 0D517E7590E3C59FE702EB6899A10ED7FB1EF57314B4A00D7C0C1DB267E628990AC752
                                                                                                        Function 04E76BF1 Relevance: .2, Instructions: 166COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1ed834becde750a7b395616d1dbea10b2a14aeff6b4592ff5e180bebec6287a0
                                                                                                        • Instruction ID: bd3cca938c59e7b746109584156cb8467b05e2928f983a0bae1a08c56f157b4a
                                                                                                        • Opcode Fuzzy Hash: 1ed834becde750a7b395616d1dbea10b2a14aeff6b4592ff5e180bebec6287a0
                                                                                                        • Instruction Fuzzy Hash: 70519D30B402058FCB04DF68C984AAEBBF2EF84324B158569E5459B3A6DB34ED46CB91
                                                                                                        Function 04E7B4F7 Relevance: .1, Instructions: 146COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bd34a966ebbee884f23c17336c7e578bdff3e3b6c281b62c81e087ca52c0eaa1
                                                                                                        • Instruction ID: e449ecaa07ef580b3cf53701e21d0d51e4c00bed2eb716165495628a51c9f056
                                                                                                        • Opcode Fuzzy Hash: bd34a966ebbee884f23c17336c7e578bdff3e3b6c281b62c81e087ca52c0eaa1
                                                                                                        • Instruction Fuzzy Hash: D141047590A3C18FE702AB3498D45D67F32EF52258B0A40D7C540CB1A3EA389D0BC7A1
                                                                                                        Function 04E734A8 Relevance: .1, Instructions: 143COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f7ab0efab74d1f7de82520e530739a5fb7b2a26091a98345aacf1549515c4642
                                                                                                        • Instruction ID: af6a681cc7e45b783da789d6b6dea4ff5094cfe45d169ef5444f7cc89d43f8d1
                                                                                                        • Opcode Fuzzy Hash: f7ab0efab74d1f7de82520e530739a5fb7b2a26091a98345aacf1549515c4642
                                                                                                        • Instruction Fuzzy Hash: A05194747402065FDB09DB68EA9056DB7A3EBC42047108638D50ADB758DF79FD4B87C1
                                                                                                        Function 04E75482 Relevance: .1, Instructions: 143COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 60e2f56c23fe9c4978d00e951cf88fb8cac27a8728bc140df0886cd0d84e233a
                                                                                                        • Instruction ID: 1c68790b3db14818386284c6589f33f3c96dd7d184b397f28e07077b29cdb1eb
                                                                                                        • Opcode Fuzzy Hash: 60e2f56c23fe9c4978d00e951cf88fb8cac27a8728bc140df0886cd0d84e233a
                                                                                                        • Instruction Fuzzy Hash: 04513F78E00209EFDB08EBE4D9946AEBBB2FF98310F104818D61277765CE356D55CB61
                                                                                                        Function 04E734B8 Relevance: .1, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1a88ee37f1db8657f4ae6a1da07c9ad15f319ef59c4e1c515087b395c2c32e4e
                                                                                                        • Instruction ID: ff628e5d96e4dfdbe4e04cba6cd17571226940031170ae1f7a4931387f89639f
                                                                                                        • Opcode Fuzzy Hash: 1a88ee37f1db8657f4ae6a1da07c9ad15f319ef59c4e1c515087b395c2c32e4e
                                                                                                        • Instruction Fuzzy Hash: 145183747402069FC709EB68EA9096EB7A3EBC42047008638D50A9B758EF75FD4AC7C1
                                                                                                        Function 04E75490 Relevance: .1, Instructions: 136COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6a076be5c3f90ea6b0d8b009950ed52a0fdfe484ce9f78a9735060839499b2ba
                                                                                                        • Instruction ID: 146b4fe843a0f0a9c8ea66891d40351abcc6d1b18bb564b886731d774fe8f72e
                                                                                                        • Opcode Fuzzy Hash: 6a076be5c3f90ea6b0d8b009950ed52a0fdfe484ce9f78a9735060839499b2ba
                                                                                                        • Instruction Fuzzy Hash: D3510E78E00209EFDB08EBE4D9946AEBBB2FF98310F104818D61677365CE356D55CB61
                                                                                                        Function 04E7F681 Relevance: .1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7faa624f7cd50dd6308cfe0466d3374415a67bff1aaec0972e475775be4ed2e7
                                                                                                        • Instruction ID: 17170ceb0e60eff3a815f6c5e87d46d43d0efcb47842cde9099b8e25074406c1
                                                                                                        • Opcode Fuzzy Hash: 7faa624f7cd50dd6308cfe0466d3374415a67bff1aaec0972e475775be4ed2e7
                                                                                                        • Instruction Fuzzy Hash: 3041F3707042558FCB15DB79C8949BEBFF6EFD9201B1444AAE046CB366DA38ED0ACB50
                                                                                                        Function 04E7E7D6 Relevance: .1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fdfae6c3719e642ae3b9b10d44bcd5ad582a80586e47a097b7b189cb69ece836
                                                                                                        • Instruction ID: b1fd518ff6150f91ac17b57048a18cd3a489c9d8f5cc2813192d84069a3d29b2
                                                                                                        • Opcode Fuzzy Hash: fdfae6c3719e642ae3b9b10d44bcd5ad582a80586e47a097b7b189cb69ece836
                                                                                                        • Instruction Fuzzy Hash: B941C031B002059BDB18EF7ED4946AEB7F7BFC8654B208429D016E7384DF78AC058B92
                                                                                                        Function 04E7E1E0 Relevance: .1, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d30c2b531bef65e29218e6d269c5061562666b10d2b65ab141db6bbfef401a19
                                                                                                        • Instruction ID: cc11d1e2476fdb07e974de28d131a757ab052ae2c9ecc45a9fdb2b9f4caadadb
                                                                                                        • Opcode Fuzzy Hash: d30c2b531bef65e29218e6d269c5061562666b10d2b65ab141db6bbfef401a19
                                                                                                        • Instruction Fuzzy Hash: 4F415B75E002499FCB14CFA9C5849AEBBF2FF89314F258169E805AB364DB74ED46CB40
                                                                                                        Function 04E7D281 Relevance: .1, Instructions: 109COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a525ff1dd82ec97fd7e90e5055074a624397bbaec2a522543baa03f755119b2b
                                                                                                        • Instruction ID: afb94760a905b1789de0390cd4f6a6932726c5f345d720a528222085d7c67594
                                                                                                        • Opcode Fuzzy Hash: a525ff1dd82ec97fd7e90e5055074a624397bbaec2a522543baa03f755119b2b
                                                                                                        • Instruction Fuzzy Hash: D14194316002059FE724DFA5D844BFFB3B6EF80315F005A29D156AB294DF78B98ACB91
                                                                                                        Function 04E72268 Relevance: .1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5ded5d79a45ec5bcb54bea48adf6431942bcc4d8a6241ea102dcc8c1a8cd32da
                                                                                                        • Instruction ID: 88598edbba36298e2945fca86d71cf830263b974ff83cc50979f372881221196
                                                                                                        • Opcode Fuzzy Hash: 5ded5d79a45ec5bcb54bea48adf6431942bcc4d8a6241ea102dcc8c1a8cd32da
                                                                                                        • Instruction Fuzzy Hash: E241FC75B001149FCB54DF69D88099EBBB2FF88724B14816AE905EB360DB31ED42CB90
                                                                                                        Function 04E7D290 Relevance: .1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bbd00a33a906b4903e3026ea8de5b02da42484031f4878ef6cff25cf05adf9b6
                                                                                                        • Instruction ID: 4b6031b8fa2ba8cdff425c2ad549824a8526c2634c0757483fba4fa570e74701
                                                                                                        • Opcode Fuzzy Hash: bbd00a33a906b4903e3026ea8de5b02da42484031f4878ef6cff25cf05adf9b6
                                                                                                        • Instruction Fuzzy Hash: 684162316002059FEB24DBA5D844BFFB3B6EF80316F005A29D1566B194DF78B98ACB91
                                                                                                        Function 04E7F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 16bcca3ab50a6c33213d8b1b4cb523cee9a8d0ac74a9c1226bab800734e000ca
                                                                                                        • Instruction ID: 82668f7b72a0704ea4917a28d2d882eb07297a789caafe88f5e905b32ae25c63
                                                                                                        • Opcode Fuzzy Hash: 16bcca3ab50a6c33213d8b1b4cb523cee9a8d0ac74a9c1226bab800734e000ca
                                                                                                        • Instruction Fuzzy Hash: 6541BD307002558FCB24DB69D888ABEBBF6EFC9315B144569E146CB36ADB74EC09CB50
                                                                                                        Function 04E7B080 Relevance: .1, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a58d1e9c9ce1c96fd7d7b44147ed1709c1a54eaac48df2e35183be8b85dba027
                                                                                                        • Instruction ID: 0653d204eb721245316616abee664c1b89719ba2048d765c76925c7e7f23c37b
                                                                                                        • Opcode Fuzzy Hash: a58d1e9c9ce1c96fd7d7b44147ed1709c1a54eaac48df2e35183be8b85dba027
                                                                                                        • Instruction Fuzzy Hash: A8318D35B001058FDB10CEA9D980AAAF7AAEF84369B18C17AE51CC7359DB31FC118B91
                                                                                                        Function 04E7310C Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b6e0f3c000f88c72d55082e7fec4b9885bc4b39114a751b14015c0beec2383ed
                                                                                                        • Instruction ID: 2022bdfe5ad0fb056ad90894b29905f0c1a8b958ea57c4d14a1e94e91734e868
                                                                                                        • Opcode Fuzzy Hash: b6e0f3c000f88c72d55082e7fec4b9885bc4b39114a751b14015c0beec2383ed
                                                                                                        • Instruction Fuzzy Hash: 7621B1316853187FD70127A524117FABF49DF42338F00A066FE48D7657C929D842E3D0
                                                                                                        Function 04E71062 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dd46ec625ec9f40dace6d9bb4c6e5c5278acd9d19629ab1d5738d71fe8fd21cd
                                                                                                        • Instruction ID: aaba2af2b561d2e05fbf19371f582259e958ce995f6842ff927af5305c42dd71
                                                                                                        • Opcode Fuzzy Hash: dd46ec625ec9f40dace6d9bb4c6e5c5278acd9d19629ab1d5738d71fe8fd21cd
                                                                                                        • Instruction Fuzzy Hash: 14214D32B003A4DBEB158F658A506FAFFAADB85265F04507BD806C7345EA24EE068791
                                                                                                        Function 04E7C558 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d0002d4f3e47f72186ea194f4795fa5afcfe1d4ae233133d59230b9d312c51b7
                                                                                                        • Instruction ID: 4ebc035b9055499b1e007c2fc28f5d52c364cdb3408f991c209fb4da1e9e5431
                                                                                                        • Opcode Fuzzy Hash: d0002d4f3e47f72186ea194f4795fa5afcfe1d4ae233133d59230b9d312c51b7
                                                                                                        • Instruction Fuzzy Hash: 6431AB342006018FC325CF25D588966FBF6EF897247188A68D44A8B76ADA34FC47CB80
                                                                                                        Function 0334D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1840306807.000000000334D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0334D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_334d000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fffd2a53bdd2caa8c903eae456dafc4cdc688774be931f99da9cc4971cace619
                                                                                                        • Instruction ID: 221b759bec7f95fce995744ce76da51e0aff278a72e9ed51499c77539888a48c
                                                                                                        • Opcode Fuzzy Hash: fffd2a53bdd2caa8c903eae456dafc4cdc688774be931f99da9cc4971cace619
                                                                                                        • Instruction Fuzzy Hash: 96212575604240DFCB05DF14DAC0B2ABFA9FB84324F24C5A9E9094B657C33AE456CBA1
                                                                                                        Function 04E7B598 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bee496e507e03773c3469e353b3e317755089eb604dbbcbd5bfba3a3bcb7d64c
                                                                                                        • Instruction ID: 011e59314fea3c4dd42b03c84dc9553da5b5c732185aed6017703e5763435090
                                                                                                        • Opcode Fuzzy Hash: bee496e507e03773c3469e353b3e317755089eb604dbbcbd5bfba3a3bcb7d64c
                                                                                                        • Instruction Fuzzy Hash: 7D21F234B00208CFDB04DFB5E8846AA77A6FB84729F108875DA058B354EB71F946CB91
                                                                                                        Function 04E7B930 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7be4e9c41a7a2e0386ba5b3999e5dc96f45d570a285d4c2313aaa2e439439462
                                                                                                        • Instruction ID: 1bd7f6bc3e1358a76bbfd49bf81a5378f6ddc1149ca0a2f78260ec135b8bb11e
                                                                                                        • Opcode Fuzzy Hash: 7be4e9c41a7a2e0386ba5b3999e5dc96f45d570a285d4c2313aaa2e439439462
                                                                                                        • Instruction Fuzzy Hash: B0115E327442014FE714CA6DD890A6BB7DAEFC8278714943EA959C735AEE72FC018390
                                                                                                        Function 04E71BB0 Relevance: .1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7bf74e2d1a2cf7c3a51345c6f555a1a49c8c7e3d897c44244600c2694bec1a77
                                                                                                        • Instruction ID: 0d33b0a14cacfddf6116007ac62bede436f609e3cad294fe359a0dbd04017a91
                                                                                                        • Opcode Fuzzy Hash: 7bf74e2d1a2cf7c3a51345c6f555a1a49c8c7e3d897c44244600c2694bec1a77
                                                                                                        • Instruction Fuzzy Hash: 5311AF207083915FE72A5B72485072BAF569FD1174F0840B9D805CF383DE24EC06C3A0
                                                                                                        Function 04E73A29 Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6f8733ebf3b7cf26761f753625231cdceddc05fcdf84516fe7bcb73e5ec0ee70
                                                                                                        • Instruction ID: 21252edc10aa3b8b2436d5c2dcdf16563c32f007eb2868e240dd10aaffa40b3e
                                                                                                        • Opcode Fuzzy Hash: 6f8733ebf3b7cf26761f753625231cdceddc05fcdf84516fe7bcb73e5ec0ee70
                                                                                                        • Instruction Fuzzy Hash: 8D21C630A40205AFDB08DF69DD519EEBBB6EF8C331F144029D805A7794CE7AAC46CB90
                                                                                                        Function 04E70F30 Relevance: .1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bb5614d2d6630737f5eb3aa24e3a17fb91219cf4e165cb8325cd9a9eb72db291
                                                                                                        • Instruction ID: 19a78ab0f052278997c4081aa57f501882f3b9cc10f46df3ca46b7cd24a5a568
                                                                                                        • Opcode Fuzzy Hash: bb5614d2d6630737f5eb3aa24e3a17fb91219cf4e165cb8325cd9a9eb72db291
                                                                                                        • Instruction Fuzzy Hash: E411663130D3D94FD71A5BB819212ADBF789F82224B1968E6D449DF383C908EC46C3A2
                                                                                                        Function 04E72258 Relevance: .1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6f351e356aff5b020c83e89e53bc523adb6b610c45ace61ddb776669918398ac
                                                                                                        • Instruction ID: ea372f29940c6dc50ca6e8e598542b454feccb79a229feea86d6ac5060bc6def
                                                                                                        • Opcode Fuzzy Hash: 6f351e356aff5b020c83e89e53bc523adb6b610c45ace61ddb776669918398ac
                                                                                                        • Instruction Fuzzy Hash: FA212E75E101189FCB54DF69D8849DEBBF1EF4C720B10816AE915E7320D731A842CB90
                                                                                                        Function 04E70F20 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0543753af37030158f8432b7d90011ea5cfb2625d731ecb5274b384b95e2a4da
                                                                                                        • Instruction ID: 4eb6e5cc0ee45d55d2e26a10340ffedf338413f41f28ab634c92107d484f2061
                                                                                                        • Opcode Fuzzy Hash: 0543753af37030158f8432b7d90011ea5cfb2625d731ecb5274b384b95e2a4da
                                                                                                        • Instruction Fuzzy Hash: 0801B12670D35417C72D57BA195022FFF4A9FC1270F0554A6ED08C7301ED24EC0183E1
                                                                                                        Function 04E728F8 Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5944b8045d9dd0257c0afc593a9965a69018702d926f6d42aeac737622ddcbe6
                                                                                                        • Instruction ID: 61324d2a22d682affd8fef3b7db126d6057d1f36e17e4acef33f904f85b95673
                                                                                                        • Opcode Fuzzy Hash: 5944b8045d9dd0257c0afc593a9965a69018702d926f6d42aeac737622ddcbe6
                                                                                                        • Instruction Fuzzy Hash: C9111CA290E3C95FD703AB74A9A51C97FB0ED1324871A01E7C080CB063E5294D4FC795
                                                                                                        Function 04E738C0 Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 98a185cb97b4afb89bd580a0b01d4bc14ba30c8d115f5d131c955ea716c261ef
                                                                                                        • Instruction ID: 794407e66a4f8d56a4c4f37dd1fdc989a5c4f57303f775f23ab85d6fa3616ed2
                                                                                                        • Opcode Fuzzy Hash: 98a185cb97b4afb89bd580a0b01d4bc14ba30c8d115f5d131c955ea716c261ef
                                                                                                        • Instruction Fuzzy Hash: 8B112F2070C3941FF7642679251036E2F9E8B42674F0151BACC81CBB87DD99EC02D3D1
                                                                                                        Function 04E7A219 Relevance: .1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c14445f0a3d359cd255b091a36ffa1e4a8895d7609e7962697f78c79e1da6322
                                                                                                        • Instruction ID: 02e3f52145accbd6963bec93017700560de33218a575e553c26b3e14acbc08af
                                                                                                        • Opcode Fuzzy Hash: c14445f0a3d359cd255b091a36ffa1e4a8895d7609e7962697f78c79e1da6322
                                                                                                        • Instruction Fuzzy Hash: 3D115C30B001099BDB14CF95C480BEEBBF5EB88720F218065D905AB344DA75ED42CF90
                                                                                                        Function 04E71958 Relevance: .1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d6582afe6e88c153a86b1a364d6b244d2d497a1192f1595fb4db6340b6e9d30b
                                                                                                        • Instruction ID: d9fe2c3d3b8efa09af60cb1e922edd2e9decacac80e6df2a6984ea31ee91498c
                                                                                                        • Opcode Fuzzy Hash: d6582afe6e88c153a86b1a364d6b244d2d497a1192f1595fb4db6340b6e9d30b
                                                                                                        • Instruction Fuzzy Hash: 13118730600114AFC714DF65DE559EABBB6EF8C722F144019E906A3384DF7AAC46CBE0
                                                                                                        Function 04E73A38 Relevance: .1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9d98bb20f77ab1968c959654ec670abb3bdcc7116cd322e153393d8b7b0b2780
                                                                                                        • Instruction ID: 9cf2f1b68501d017d427b0df69b295f75ebf1e938310a7ecd8996ef14b54793c
                                                                                                        • Opcode Fuzzy Hash: 9d98bb20f77ab1968c959654ec670abb3bdcc7116cd322e153393d8b7b0b2780
                                                                                                        • Instruction Fuzzy Hash: 60118430A00205AFDB18DF65DD51A9EBBB7EF8C325F148029D905A7394DF7AAC45CB90
                                                                                                        Function 04E71378 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7c2dae817949dd78bf1d61a5270b5f9b6c3a83b6d7c9b10901789d50b077ac48
                                                                                                        • Instruction ID: 868135e29320b9e8a25fb90f1566ef239b8e9b6f54b5819396418f5dfbd8b3f5
                                                                                                        • Opcode Fuzzy Hash: 7c2dae817949dd78bf1d61a5270b5f9b6c3a83b6d7c9b10901789d50b077ac48
                                                                                                        • Instruction Fuzzy Hash: 662138B1D042498FDB20DFAAC4856DEFBF0FF48324F108129D959A7240C779A946CFA5
                                                                                                        Function 0334D69F Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1840306807.000000000334D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0334D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_334d000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                        • Instruction ID: be4bdd1865d08f61376359efb9c11b0fcf94fc88636ae5f0137bffdcc56c8661
                                                                                                        • Opcode Fuzzy Hash: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                        • Instruction Fuzzy Hash: 2311D676504240CFCB16CF10DAC4B16BFB1FB84314F28C5A9E9494B657C336E456CB91
                                                                                                        Function 04E7AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4bf4d9d1117b3e5978fd311ddf19e0f506fb4dd03a8a847762409c9dd2f9e5bf
                                                                                                        • Instruction ID: 054cf7abb0a1ffd6a8afc01123deeb917b86b6f2fdb89d9b4a3183d8f63b147e
                                                                                                        • Opcode Fuzzy Hash: 4bf4d9d1117b3e5978fd311ddf19e0f506fb4dd03a8a847762409c9dd2f9e5bf
                                                                                                        • Instruction Fuzzy Hash: 4E21EA78E00209DFDB04EFA8D5909AEBBF2FF48314F5055A9D445BB354DB34AA41CB91
                                                                                                        Function 04E70F40 Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 493896ab248d30f86501bc5faf0190103277e20e3fffefba8c3f0e3280427d7c
                                                                                                        • Instruction ID: 72b567972603bf8bc3893b5710a7a38308981426951a22c6bc1e1a826b68e010
                                                                                                        • Opcode Fuzzy Hash: 493896ab248d30f86501bc5faf0190103277e20e3fffefba8c3f0e3280427d7c
                                                                                                        • Instruction Fuzzy Hash: 471126302483849FE319A760D85573AFFA0EB41325F1588D9D24ACF692C6A6B840CB12
                                                                                                        Function 04E71380 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4351ac31b7b79df976ae2a708d6365d2c3a3759f9feb49b22759caba6d1c0daa
                                                                                                        • Instruction ID: af4dc5827494695ea9e6924fd0d60e1f1b6c6d723110523b5eabeccfe7e261fd
                                                                                                        • Opcode Fuzzy Hash: 4351ac31b7b79df976ae2a708d6365d2c3a3759f9feb49b22759caba6d1c0daa
                                                                                                        • Instruction Fuzzy Hash: 421136B0D002498FDB10DFAAC480AEEFBF4FF48324F108029D459A7240C774A945CFA5
                                                                                                        Function 04E72998 Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d42fd6af3da2a876b8f11b5ee376936dd8bc2e9f16f3fd65d6bddbb2f9861962
                                                                                                        • Instruction ID: d010e3d6be90a1c526dfccb6fee3791751ffac392eaba6de8d2de4f1eaf62c7b
                                                                                                        • Opcode Fuzzy Hash: d42fd6af3da2a876b8f11b5ee376936dd8bc2e9f16f3fd65d6bddbb2f9861962
                                                                                                        • Instruction Fuzzy Hash: 441100B15093C08FD706CB34B9517D93FB1DB92204B1645EBC184CF263D6296E4AC782
                                                                                                        Function 04E71440 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6f6c61e1186035fb119fcbe295d0a37bdcbe81859c8ffd9d6239c50800400789
                                                                                                        • Instruction ID: efcaacb4b8b0c9b2c6ea7e56e30095b77047600a98cc1895b842ddfcd34d52c1
                                                                                                        • Opcode Fuzzy Hash: 6f6c61e1186035fb119fcbe295d0a37bdcbe81859c8ffd9d6239c50800400789
                                                                                                        • Instruction Fuzzy Hash: E201F770A493091FCB0DDF396E755267FEDDF8162470518AACA4ACF291F919D80683D2
                                                                                                        Function 04E71968 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 305d7431aaf63a419cc4c9798e9e1c51176dffcc068078b59890f3e56f9d54d3
                                                                                                        • Instruction ID: ef054f82648665faa29de12e256979f38af98d109ddc0c1f985963b545eaf972
                                                                                                        • Opcode Fuzzy Hash: 305d7431aaf63a419cc4c9798e9e1c51176dffcc068078b59890f3e56f9d54d3
                                                                                                        • Instruction Fuzzy Hash: 26115431600215BFCB14DF65DE54AA9BBB6EF8C322F144019E50AE7394CF7A5C45CB94
                                                                                                        Function 04E756C2 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6a7ea83fcaeda180b850395a2d16230d5c25ae7ed849fd26fb4cf228fc694404
                                                                                                        • Instruction ID: f8ff391ac6a397272431bece990239841b72fbc374ca5b0aa34b8ef6523cae86
                                                                                                        • Opcode Fuzzy Hash: 6a7ea83fcaeda180b850395a2d16230d5c25ae7ed849fd26fb4cf228fc694404
                                                                                                        • Instruction Fuzzy Hash: 0E014C723003006FF714A7B9A84406DAFE1EBC1328340063DD14ADB745CF65BD0B47A0
                                                                                                        Function 04E7B070 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4ae17c3b5ff4776fed43e78e0e63eeb4d82f5670f1593201dafe0c6553133247
                                                                                                        • Instruction ID: 54956d5e6483fa9c476c91646f7fd19e3308245fd954c747b2c464ec9077c1fc
                                                                                                        • Opcode Fuzzy Hash: 4ae17c3b5ff4776fed43e78e0e63eeb4d82f5670f1593201dafe0c6553133247
                                                                                                        • Instruction Fuzzy Hash: 4D01D6357001028FDB14DA6A998099AFFA6EFC4354704C63AD51CC7B59DA35E807C791
                                                                                                        Function 04E71829 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6e847cc69783e3f7f381d6b4eda2220d0a194640a7e032fdefc59069aeca51c5
                                                                                                        • Instruction ID: b4e0ca794d7594079ed88726eb2550bddf99a47255e336b96a1686edaf643551
                                                                                                        • Opcode Fuzzy Hash: 6e847cc69783e3f7f381d6b4eda2220d0a194640a7e032fdefc59069aeca51c5
                                                                                                        • Instruction Fuzzy Hash: 1B01D131B1031597FB28A7A985967EFBBAADBC8728F101129D401B3381CE796C028BD5
                                                                                                        Function 04E7B920 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 94818ac527ba8970e7989ca2c1c28d82c70d2db1a807017e126f4d5f03cf0e2d
                                                                                                        • Instruction ID: f8ece6031a7f9600433ebca9e97c1a2990e662e1cf62d5864c0863a1c61d36b2
                                                                                                        • Opcode Fuzzy Hash: 94818ac527ba8970e7989ca2c1c28d82c70d2db1a807017e126f4d5f03cf0e2d
                                                                                                        • Instruction Fuzzy Hash: 8701AD717442004FE714CA6DD8D0A6ABBEADFD9368714947AE809CB796DA35EC028750
                                                                                                        Function 0334D006 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1840306807.000000000334D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0334D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_334d000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a1b03e0067682702f8071e51680a058d2360794e36e342d53210b4e89d98d56e
                                                                                                        • Instruction ID: 92c0fe3d2cf8b4724025f0130b49ddcf58d5265767e8accfee812f1c37446c10
                                                                                                        • Opcode Fuzzy Hash: a1b03e0067682702f8071e51680a058d2360794e36e342d53210b4e89d98d56e
                                                                                                        • Instruction Fuzzy Hash: AB014C7144D3C09FD7128B258C94762BFA8EF53224F1985DBE8888F1A7C26D9C45C772
                                                                                                        Function 0334D01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1840306807.000000000334D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0334D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_334d000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d72b4f8e226a1ea4913e4247e532b05fcad3003239d541b5df2a1e81670e7a1a
                                                                                                        • Instruction ID: 45d705855ade7815e0793edd0a875a1994df03e1f0d4cb358332b702ff66d314
                                                                                                        • Opcode Fuzzy Hash: d72b4f8e226a1ea4913e4247e532b05fcad3003239d541b5df2a1e81670e7a1a
                                                                                                        • Instruction Fuzzy Hash: 23018F715083449AE7108B29CDC4B67BFDCEF41324F18C56AED484B297C27DA845C6B2
                                                                                                        Function 04E7CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f06284cca44b5ea2e8c59db704870d63012833d3a0b0be81ece190030f168e85
                                                                                                        • Instruction ID: 68000198c292800b7952650c897a46603df94b2efd098069a82c2bfb21efd2b7
                                                                                                        • Opcode Fuzzy Hash: f06284cca44b5ea2e8c59db704870d63012833d3a0b0be81ece190030f168e85
                                                                                                        • Instruction Fuzzy Hash: 3EF090363082154FA7488A6EAC84A6FF7EEFBC4A79324053AF509C3350DB61DC018790
                                                                                                        Function 04E767E2 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 68b232340f46ecc697150f529a4889116dfea8872816553c8258c9e895edd5e7
                                                                                                        • Instruction ID: 976db1c58e2159aec77e12b6a97869e5734a634c298242a36b83a8e91beca186
                                                                                                        • Opcode Fuzzy Hash: 68b232340f46ecc697150f529a4889116dfea8872816553c8258c9e895edd5e7
                                                                                                        • Instruction Fuzzy Hash: E2018874E41209AFDB48EFB8E4815DCBBF1DF95214B0095A8C145EB356DA396F06CB41
                                                                                                        Function 04E7CB7F Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d9e0456c1c2f4f3b7a7474d349967d7da8995003f1d9e80858c5ea6e78529cba
                                                                                                        • Instruction ID: bdd547823a41f15c36a6329c6855a10bca7e71b97130782541d5c35d72d16eb5
                                                                                                        • Opcode Fuzzy Hash: d9e0456c1c2f4f3b7a7474d349967d7da8995003f1d9e80858c5ea6e78529cba
                                                                                                        • Instruction Fuzzy Hash: C2F0B4757452110FD7144A5EA894AEBBBFEFFD5668310057AF508C3361DA79DC038790
                                                                                                        Function 04E76769 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9f563caf9fb8096afc23eb670740b870dadb393b427abb2fec83a5bc959a3f52
                                                                                                        • Instruction ID: b94c0fa1604f99edb0150ac9b4730ddddf84cb817580ae0d60e2bec4b0f64034
                                                                                                        • Opcode Fuzzy Hash: 9f563caf9fb8096afc23eb670740b870dadb393b427abb2fec83a5bc959a3f52
                                                                                                        • Instruction Fuzzy Hash: 4E017836A01905DBDB10CB68C68066DF3A6FF8837DB609639C41A9B248D731E84A8B80
                                                                                                        Function 04E7E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0464a94d544cd48cf27ff47b049b67432ab57be09e960b701c06fa3bc9abfb33
                                                                                                        • Instruction ID: 64e123310141949a08afcbbec0bfbbfe7c620d1e1f0dd299ea3c73f2539a292b
                                                                                                        • Opcode Fuzzy Hash: 0464a94d544cd48cf27ff47b049b67432ab57be09e960b701c06fa3bc9abfb33
                                                                                                        • Instruction Fuzzy Hash: D0014436B402109FE705DB99D8403BE73B3EFC4224F10815AC6566B344EBB5BC0A87C0
                                                                                                        Function 04E7E36A Relevance: .0, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b48a965cddcd52c6febd4ebb96e1d3eb465a684f4dd51cfa3f7cbc68920012c0
                                                                                                        • Instruction ID: ad53afc35fee9cc2ae6d007594e958f36b82a3a47a1be27e2c680dd6b0fe7475
                                                                                                        • Opcode Fuzzy Hash: b48a965cddcd52c6febd4ebb96e1d3eb465a684f4dd51cfa3f7cbc68920012c0
                                                                                                        • Instruction Fuzzy Hash: ACF0723AB802104FE7069B9898003BD7363FFC4260F14806AC65A6F340EBB0BC0683C0
                                                                                                        Function 04E7AF00 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 259136b4186e6972603f8e9e8bdc2bc02bdcf3b952e432bf89715bcab09cd3fd
                                                                                                        • Instruction ID: fdd0175a376576a8d12a24a1f634286a28fdce566890931ef049be00bf0fd1af
                                                                                                        • Opcode Fuzzy Hash: 259136b4186e6972603f8e9e8bdc2bc02bdcf3b952e432bf89715bcab09cd3fd
                                                                                                        • Instruction Fuzzy Hash: B7F0E2F2B006050FD7184A5E688489AABE9EBD9224305803AE00DC7315ED65DC0747A0
                                                                                                        Function 04E7EA75 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3c0aa449e0242d1ad76a86012bc8ebee0a4ecbb2811ce651b5c074d15e737c1c
                                                                                                        • Instruction ID: 3903623262df3b6822d65279d90bbf6e35c14d99a233a2a9fde6114c83cca4b7
                                                                                                        • Opcode Fuzzy Hash: 3c0aa449e0242d1ad76a86012bc8ebee0a4ecbb2811ce651b5c074d15e737c1c
                                                                                                        • Instruction Fuzzy Hash: 2FF09E357093000FD705572DA4904AABFFBFBCA46032600F6D009CB357DD5A8C074362
                                                                                                        Function 04E74551 Relevance: .0, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e8162466d9ab1929fa8c1ab77fc3a438bd8a9cacc0cf44e8b8604b6c1e1801a6
                                                                                                        • Instruction ID: 2fb385f021b8b0b7af974a313b29e982c0c0686db171ed68c2cfeb3991135e7b
                                                                                                        • Opcode Fuzzy Hash: e8162466d9ab1929fa8c1ab77fc3a438bd8a9cacc0cf44e8b8604b6c1e1801a6
                                                                                                        • Instruction Fuzzy Hash: 87F052317446000FE326A7ADA88108ABFE2EBC127434042B9D21DCB341EF2AEC478381
                                                                                                        Function 04E7AEBF Relevance: .0, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a9ddd080062b7d9451aedaa449952ce25e508a5f6c9034bb3735bf40cb2227df
                                                                                                        • Instruction ID: 008955b8f8023ffa09bf6c99ad206a90141d99299e1bb190ee037246c6791817
                                                                                                        • Opcode Fuzzy Hash: a9ddd080062b7d9451aedaa449952ce25e508a5f6c9034bb3735bf40cb2227df
                                                                                                        • Instruction Fuzzy Hash: A3F0E26A25D7C40FDB1307792C650892F31EA9323439612FBD280CAAA7D41D982B8732
                                                                                                        Function 04E756D0 Relevance: .0, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bfa927428f3907c2c1cb246fb9789760a21153b43634b244261674135be602ef
                                                                                                        • Instruction ID: 258e39c3195f35198c3b7f880ab512ecfde8a0386d8d00f7b452692a67b7d9c8
                                                                                                        • Opcode Fuzzy Hash: bfa927428f3907c2c1cb246fb9789760a21153b43634b244261674135be602ef
                                                                                                        • Instruction Fuzzy Hash: 26F0C8313003046FE718A7B9D84456EBAD6EBC0324740462CD25A9B359CF75BC0A47A0
                                                                                                        Function 04E76038 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e3e935391b017b3fcd1454eea55d899bd8d72df3d5c490d7576db73b92b103f4
                                                                                                        • Instruction ID: 07fae947234269446ce53384039368d3a9e3cd904fd1c4fde85166fd7a9f45e1
                                                                                                        • Opcode Fuzzy Hash: e3e935391b017b3fcd1454eea55d899bd8d72df3d5c490d7576db73b92b103f4
                                                                                                        • Instruction Fuzzy Hash: 55F02831108B904FC3328B29E404196BFF0FF8271C704096DC0C687A66D7F9A44AC741
                                                                                                        Function 04E7A369 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ce5fe6b1ec2a64be913995e63a6e441637c9ef9f42fa32dcede6b18d61789bb2
                                                                                                        • Instruction ID: 60d2e4c70ea012f2f32d3ba0cd62bec66dd077e7945ef50b3d30298a10b05e37
                                                                                                        • Opcode Fuzzy Hash: ce5fe6b1ec2a64be913995e63a6e441637c9ef9f42fa32dcede6b18d61789bb2
                                                                                                        • Instruction Fuzzy Hash: FAF059357491919FCB055BB8C4540ADBF23EF9522472441BDC84B4B746CF2B9803C791
                                                                                                        Function 04E76880 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 13f47fa48be6fccc807a76a601050f425dc5226659e4f3f0aeb46208057bff89
                                                                                                        • Instruction ID: b0764a9f80392ce7c02745858baef5f8ee57c67765ed8526c7bde7f60c992596
                                                                                                        • Opcode Fuzzy Hash: 13f47fa48be6fccc807a76a601050f425dc5226659e4f3f0aeb46208057bff89
                                                                                                        • Instruction Fuzzy Hash: 8AF05EB164E2D25FC712567CA8604C1BFB2AE6726035E43F7D080CBA57D62E9883C392
                                                                                                        Function 04E71431 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5db3e7354dcf6ecae7680ec36f498c0588de468efc6cca02f946a22edf1768c1
                                                                                                        • Instruction ID: 5c9c884bc917e1b2bc4955493c908e0f0eb1726b8b7df8516d51f18bfd186698
                                                                                                        • Opcode Fuzzy Hash: 5db3e7354dcf6ecae7680ec36f498c0588de468efc6cca02f946a22edf1768c1
                                                                                                        • Instruction Fuzzy Hash: 18F0F670A803051FCB0CDF795F296167B9AEFC1628705186EC60ACF294F929D807C3D2
                                                                                                        Function 04E757A8 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bb07e462bd0a2a2a356cd2e09518155607c1e9a9b10270e89e182121fb010c51
                                                                                                        • Instruction ID: 82a1a1478b9be2dfc70c9758c6eff2d2bbd215a62b568c988a8b7cb89e0413d2
                                                                                                        • Opcode Fuzzy Hash: bb07e462bd0a2a2a356cd2e09518155607c1e9a9b10270e89e182121fb010c51
                                                                                                        • Instruction Fuzzy Hash: EFF0E9353443025FEB10D77CD891A997BE6EFC6264714057AE149CB725EA29EC43D390
                                                                                                        Function 04E767F0 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0dfa870ca3f46e43074939ee43857ce812192c73cca3d30a64e5b8cacacd26b4
                                                                                                        • Instruction ID: 8c7dee264c989dd4f68c9f393ffb64e92c5b1f53122900bc7f96cc03c12cf1ba
                                                                                                        • Opcode Fuzzy Hash: 0dfa870ca3f46e43074939ee43857ce812192c73cca3d30a64e5b8cacacd26b4
                                                                                                        • Instruction Fuzzy Hash: 00016274E00209EFDB48EFB8E9816ACBBF5EFC4204B0095A8D145AB351DA34BE05CB81
                                                                                                        Function 04E768D1 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c8d52c23e3775e78cccbcbee03593b60981bdf12f7e5e2ebfc528ec7e9e48b77
                                                                                                        • Instruction ID: 218d3f67dcc658f5e6e56a3883b9cc075e0238eee11baa0802f56930c0db2a18
                                                                                                        • Opcode Fuzzy Hash: c8d52c23e3775e78cccbcbee03593b60981bdf12f7e5e2ebfc528ec7e9e48b77
                                                                                                        • Instruction Fuzzy Hash: 91F0B476605605AFC712CF59D4449C9BFF9EF8932030581A6E458CB213E735DA06CB90
                                                                                                        Function 04E738B0 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fe6641695eb87bb15a0fc51c48bf72c2c49acc1f606880699db359e90003e594
                                                                                                        • Instruction ID: 632ede142ed27db1f49df9d07e829bf36c943aeabd3d1a7da050ba7be0844bf0
                                                                                                        • Opcode Fuzzy Hash: fe6641695eb87bb15a0fc51c48bf72c2c49acc1f606880699db359e90003e594
                                                                                                        • Instruction Fuzzy Hash: A0F0E5207182590AFBA0166976403EA1F8D4B4277CF11127ACCC1CAE8BE5C9F883E3D2
                                                                                                        Function 04E7C4C9 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8f3ec09698d9cd08249c42ec769db2f660fe668b3b1db12188a1ef82669b7cc6
                                                                                                        • Instruction ID: fe4dc16699ef185442a99911f8eb7e32a36f912d8d0df7246766435599818fa9
                                                                                                        • Opcode Fuzzy Hash: 8f3ec09698d9cd08249c42ec769db2f660fe668b3b1db12188a1ef82669b7cc6
                                                                                                        • Instruction Fuzzy Hash: ACF05C327047001FC3228A28A8406FAB7BACFC1760B10173ED88D87556FA66E90683A2
                                                                                                        Function 04E745B8 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9a2701a64661f8be552e9c24563dccfc5b6201121bb4396de1e0e323c75cdd03
                                                                                                        • Instruction ID: 1f1aed45342ccdb588efec0a6d117b352295bb6c7a848aee548c45a329781eef
                                                                                                        • Opcode Fuzzy Hash: 9a2701a64661f8be552e9c24563dccfc5b6201121bb4396de1e0e323c75cdd03
                                                                                                        • Instruction Fuzzy Hash: F5F09A353042418FD7109A7CE98489E7BE2DBC9314305066AE049CB666DA25E9028750
                                                                                                        Function 04E7AB90 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 059d6486ced2bacd26a7d34e7473d74de2be18cedebf5f335b778951c124f47b
                                                                                                        • Instruction ID: 1a36a9faf1b446041ec0741df398382e9dd456956429fb58b042a18ee6e0a423
                                                                                                        • Opcode Fuzzy Hash: 059d6486ced2bacd26a7d34e7473d74de2be18cedebf5f335b778951c124f47b
                                                                                                        • Instruction Fuzzy Hash: 3FF0AB313082005FD7000BBAA8848997FF6EBCA33535142BAF009C73A2ED18CC038340
                                                                                                        Function 04E746C8 Relevance: .0, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b99ab705eeefa6776cc23eafbd7569ee962f84d6705262aebcf7a7981199c18d
                                                                                                        • Instruction ID: 69d62988c1ef2714113f4237d9305f0ea1263c8ef26a80675817e6f3cf82d887
                                                                                                        • Opcode Fuzzy Hash: b99ab705eeefa6776cc23eafbd7569ee962f84d6705262aebcf7a7981199c18d
                                                                                                        • Instruction Fuzzy Hash: AAF03A74E492489FCB00DBE8E4814DDBFF0EB55314F0041EAE808D7765EA399A068B81
                                                                                                        Function 04E7C688 Relevance: .0, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 266b8834c7271ed9efd63f0b16cdc330379ce51e64fc4885d766902d28166f80
                                                                                                        • Instruction ID: 6ca560828c80ca4fe8a791fa2c878dee864cc64130395735f0d41822ad62ac5e
                                                                                                        • Opcode Fuzzy Hash: 266b8834c7271ed9efd63f0b16cdc330379ce51e64fc4885d766902d28166f80
                                                                                                        • Instruction Fuzzy Hash: 3EF0EC353002114FC714DAB5D580555B3DFAF886A4314A575DA08C7738EE71DC02C780
                                                                                                        Function 04E736A9 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d99d06ae0c27a2b01dddbae65097557de9c195755f04aa762982fedb6d9b167f
                                                                                                        • Instruction ID: 7bfc2975924fc53dfaa936bff0c53c075447a111e1727b855472e3bb6c60d333
                                                                                                        • Opcode Fuzzy Hash: d99d06ae0c27a2b01dddbae65097557de9c195755f04aa762982fedb6d9b167f
                                                                                                        • Instruction Fuzzy Hash: 56F06571E942159FDFC0DEAC95402FEBBF49B44120B60567AC80AD7700E3359603DBD0
                                                                                                        Function 04E74560 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 81cdb2aea83fef9027697252ee3f030e609d730d47a97afd7553a29838091e9c
                                                                                                        • Instruction ID: db0da2022044ef058cf2be766a7e9656079834464918d0717506a25ef39518f7
                                                                                                        • Opcode Fuzzy Hash: 81cdb2aea83fef9027697252ee3f030e609d730d47a97afd7553a29838091e9c
                                                                                                        • Instruction Fuzzy Hash: 12E022357006001BA229E76EA84041EBAC6EBC4274340857CE31EDB344DF26FC494398
                                                                                                        Function 04E746A0 Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f6dc5b68f5460f35487d7d69ca900a98344abd14fab38f2731ec2b1a433c65c0
                                                                                                        • Instruction ID: f34210be73ca45c8322b7808648ddfdfded0fd8cef3c67958e2c3f9597e06538
                                                                                                        • Opcode Fuzzy Hash: f6dc5b68f5460f35487d7d69ca900a98344abd14fab38f2731ec2b1a433c65c0
                                                                                                        • Instruction Fuzzy Hash: 08E02672B092854FD30197A5B0990D8BF6ACBE277130004EAE409CB262EE7F8D438382
                                                                                                        Function 04E7C678 Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c6dcbb6110576c9b1e47bdb41425985f873a63288d400ff3ded9e94d7dccb128
                                                                                                        • Instruction ID: 5bc0656e090af7cb1191c2c427e24d1f18aaa5c743d6b46b50c2a42ce10d7d18
                                                                                                        • Opcode Fuzzy Hash: c6dcbb6110576c9b1e47bdb41425985f873a63288d400ff3ded9e94d7dccb128
                                                                                                        • Instruction Fuzzy Hash: 55E02636B053024BC3054AB495D00C1FB7BEF94264324A672CA048A769EA39C843C780
                                                                                                        Function 04E76AAF Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6c593caf7ed7355099b9311c2fb7968c50ce90c1d76db202e4381039da960091
                                                                                                        • Instruction ID: 4623de0160c3eff1dcdb3c3e888f9019af05cb8c56bae920b6ab7f5d1bbff501
                                                                                                        • Opcode Fuzzy Hash: 6c593caf7ed7355099b9311c2fb7968c50ce90c1d76db202e4381039da960091
                                                                                                        • Instruction Fuzzy Hash: 8FF06D713482859FD311DFACD880C91BFE9AF5A26430580AAE888CF353D726ED17CB90
                                                                                                        Function 04E7C1D0 Relevance: .0, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 41a462ad08e8c544ae826d8a7d6779bf5adc9b98e8c0da66c90523de82f0b61a
                                                                                                        • Instruction ID: 720668afd2f7e40f9e2f71de41b258cf30e57163bdc633872add364d696151ed
                                                                                                        • Opcode Fuzzy Hash: 41a462ad08e8c544ae826d8a7d6779bf5adc9b98e8c0da66c90523de82f0b61a
                                                                                                        • Instruction Fuzzy Hash: 3BE068343093000FD310A769A0941AE7FE6EBC23697000129E486CB745DD7D7C878BC1
                                                                                                        Function 04E73CC0 Relevance: .0, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f09fea67d7918a79ea809e713e15205bf3243738ae910d212fd378d0c09a1571
                                                                                                        • Instruction ID: 16437a379d047a7d6d97c6b1b6a4c4e547ce0bcf46298fd465ec746f6aa5e25b
                                                                                                        • Opcode Fuzzy Hash: f09fea67d7918a79ea809e713e15205bf3243738ae910d212fd378d0c09a1571
                                                                                                        • Instruction Fuzzy Hash: B3E0203B7441A04F8715115E741157D6BA6CBC153230501ABD109C7751CE155C074391
                                                                                                        Function 04E736B8 Relevance: .0, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                        • Instruction ID: 03facd55558a8d2405e0784da36c550e66bf76c722a2f37f4e30cf1d61f426e8
                                                                                                        • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                        • Instruction Fuzzy Hash: E6E01270F0021ADF8F80EFA999401EEBBF4AF48154B10956AC919E7200F332AA01DBD0
                                                                                                        Function 04E73CFF Relevance: .0, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5c05f5f4f63bfe3b4a2b6e3a30372351b78f3b7cc02e431cdb060beeabf9a9d5
                                                                                                        • Instruction ID: e14f11c3e21945791af28d1686b65bed5bf68e125efd8df7a72cc795607cc460
                                                                                                        • Opcode Fuzzy Hash: 5c05f5f4f63bfe3b4a2b6e3a30372351b78f3b7cc02e431cdb060beeabf9a9d5
                                                                                                        • Instruction Fuzzy Hash: 97E092709492899FCB04DFB4B9510CC7FF5DF5220471041E9C509D72A2EA3A5F028792
                                                                                                        Function 04E717F0 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4ea9a379d1a22b086627ae6ced0a525a40aa18f620b543a695a56c56307b8e6
                                                                                                        • Instruction ID: ffab8c1489b2dd6efea4509f338778e27f085023404fffdc13abe5f4c7cff93f
                                                                                                        • Opcode Fuzzy Hash: f4ea9a379d1a22b086627ae6ced0a525a40aa18f620b543a695a56c56307b8e6
                                                                                                        • Instruction Fuzzy Hash: DBE02B3310C2445FC3063710A8114D57F79971A13070800F7E541C73B2C9253C14CBE4
                                                                                                        Function 04E7C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 770a1362d126e57366fd77170e5d1d0b41214aeeb4fc416f97bb61d647a1011b
                                                                                                        • Instruction ID: f92e95f7df5512d94e17466b7989a7a7172e44c2edd0f2c394593999fb5afde1
                                                                                                        • Opcode Fuzzy Hash: 770a1362d126e57366fd77170e5d1d0b41214aeeb4fc416f97bb61d647a1011b
                                                                                                        • Instruction Fuzzy Hash: 66E02B353003044BC314BB5AE44896EBFDAFBC5765B00052DE4478B704CE75BC868BD8
                                                                                                        Function 04E76AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b07abecc244c74e4004951405d8835311c4bed8a4ccb62545e922e4c49f3a513
                                                                                                        • Instruction ID: d34584234b95f9433111100e24a72e509b3acfc90e53266f576c912d09d16213
                                                                                                        • Opcode Fuzzy Hash: b07abecc244c74e4004951405d8835311c4bed8a4ccb62545e922e4c49f3a513
                                                                                                        • Instruction Fuzzy Hash: 50E0EC753042049FD314DF9CD980C91BBE9EF59368355809AE888CF322DB22FD12CB90
                                                                                                        Function 04E73CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f8f8a8fa1799c7ec2a40f5ce03bd6463ad4a044ddfed72d33bf3113e31d8502
                                                                                                        • Instruction ID: 45987aca123c85a2c83a03c021d3bb3ae4ded3684d79d030572547240a6bb126
                                                                                                        • Opcode Fuzzy Hash: 2f8f8a8fa1799c7ec2a40f5ce03bd6463ad4a044ddfed72d33bf3113e31d8502
                                                                                                        • Instruction Fuzzy Hash: B8D0A73F300128930614229F741462EF7AECBC5D73304016EEA0EC3344CF56AC0153E5
                                                                                                        Function 04E73938 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1aa35a1cd8a9c1cab27646e51de63e9ef548d681f8afdf8f36a12bd89595bf20
                                                                                                        • Instruction ID: b7a6e0d20c6ee62e6066ec9b0db5efe0c8398eabce72d5a40a8e015630d4cdfe
                                                                                                        • Opcode Fuzzy Hash: 1aa35a1cd8a9c1cab27646e51de63e9ef548d681f8afdf8f36a12bd89595bf20
                                                                                                        • Instruction Fuzzy Hash: 31D09722B8D3A0BFC71422BA140018A7F4DCB42830F5160F3ED44DB60BC468AC03C3C0
                                                                                                        Function 04E746D8 Relevance: .0, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 58eaabe075d35735e5e85f2c13c89b626c748fa260ee8f5bee2ee56b07af68a9
                                                                                                        • Instruction ID: 493aa0de5a0d19416c6e359c8965445d71ee50e59e75d45bb07819554fa31ed4
                                                                                                        • Opcode Fuzzy Hash: 58eaabe075d35735e5e85f2c13c89b626c748fa260ee8f5bee2ee56b07af68a9
                                                                                                        • Instruction Fuzzy Hash: 6AE0B674E0420CAFCB44EFE9D54459DFBF5EB88300F0081EAE809E7354EA345A448F81
                                                                                                        Function 04E71C29 Relevance: .0, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d9802bb90008281e30a44c3348032b0a3ef0cfff8c6dbf5407ba622647b2c402
                                                                                                        • Instruction ID: 8d34784fc9be9e3e36cac2571712ab83dd415b0b42ca57b0535f1de181535e32
                                                                                                        • Opcode Fuzzy Hash: d9802bb90008281e30a44c3348032b0a3ef0cfff8c6dbf5407ba622647b2c402
                                                                                                        • Instruction Fuzzy Hash: 8BD0129B91E76827D61D22E95D020CBEF484B96B70F0228E3D91CE6303A0096C0692F7
                                                                                                        Function 04E73C89 Relevance: .0, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 393448079ad369f8e77513078818957534a52da7f9643ef74bbd09f6a281d8d8
                                                                                                        • Instruction ID: 21e936d19d88b345bf892e037508be6c309cfb0f35bb14eb0ad287981a0d08f3
                                                                                                        • Opcode Fuzzy Hash: 393448079ad369f8e77513078818957534a52da7f9643ef74bbd09f6a281d8d8
                                                                                                        • Instruction Fuzzy Hash: E5D0A73074C640CFCF4C4778A8154F43F6287721253000AEAC50AC2E62E12F5413D711
                                                                                                        Function 04E70C0C Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 220eb3bdbc0958c4d1d3cc762f68ed11e56cffdcc5455136491cfd52a4150a1d
                                                                                                        • Instruction ID: f6041a2a59658da414df0bd329cb4029087b943af531fbdb56ad026b5457d549
                                                                                                        • Opcode Fuzzy Hash: 220eb3bdbc0958c4d1d3cc762f68ed11e56cffdcc5455136491cfd52a4150a1d
                                                                                                        • Instruction Fuzzy Hash: 86D0A7323501286B96046718DD8586ABB99E7953707105437FA0283324DD60BC5083D5
                                                                                                        Function 04E73D10 Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a3ac84ce11febbf5288289d11d9033cd9101e1a0e2120fd48d021cac1a8a498c
                                                                                                        • Instruction ID: 7cd8418009da7efa7eaf4b5538df4d518d61b4e3078d0edb6ab80c8bd6e9efc2
                                                                                                        • Opcode Fuzzy Hash: a3ac84ce11febbf5288289d11d9033cd9101e1a0e2120fd48d021cac1a8a498c
                                                                                                        • Instruction Fuzzy Hash: 24D01730A40208EF8B08DFB9EA4155DB7F9EB44204B1045E9D609E7280EB326E009B91
                                                                                                        Function 04E7E32A Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b591ca415feefa405766f64a0d5079c55ae873228f2e604afb7827233bc43866
                                                                                                        • Instruction ID: f5d348b3c0fa1c770adfe338cfbb4eaee7fcd09d67823b322ffdec47ba2b63bc
                                                                                                        • Opcode Fuzzy Hash: b591ca415feefa405766f64a0d5079c55ae873228f2e604afb7827233bc43866
                                                                                                        • Instruction Fuzzy Hash: B7E01230A0420BDBDB549FE1C554AAE7771BB04319F205454D405AA244DB745547CF81
                                                                                                        Function 04E72968 Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c883f7909f0b5203cd3dd8295651f74ce7148d14a327ecde4381d1d4d5529967
                                                                                                        • Instruction ID: d697d0a0318b1243e50e0a79fabba7c4c3833b4a750e32aed5b69ec68e619c77
                                                                                                        • Opcode Fuzzy Hash: c883f7909f0b5203cd3dd8295651f74ce7148d14a327ecde4381d1d4d5529967
                                                                                                        • Instruction Fuzzy Hash: 50D05EB0945209DFCB08DFB5E94095DBBFAEB45204B2086A6C408D3210EA305E04CB81
                                                                                                        Function 04E7A3A8 Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8d4a2d353e0ec3f007f4f1ea7e175526311928afa3f1e17e34996b4e6aa7e2b0
                                                                                                        • Instruction ID: bc0aa44c154a1b5c7f57497e62783ba55f9438cc565322687a28fc5cd08321f1
                                                                                                        • Opcode Fuzzy Hash: 8d4a2d353e0ec3f007f4f1ea7e175526311928afa3f1e17e34996b4e6aa7e2b0
                                                                                                        • Instruction Fuzzy Hash: A3D01235605319AB8A055A55D900869B72AAF8567872880BDD94C0F755DE33EC43CBD0
                                                                                                        Function 04E73C98 Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a03acf09bc4bfaf39d10b001bb48135b4fccfcfe38135f5d89e5341f2e5cb62
                                                                                                        • Instruction ID: 03c676d50e9b9133e71cf8fa19f39cbf8b8617ebb81d9893f7c77afcbc393fca
                                                                                                        • Opcode Fuzzy Hash: 0a03acf09bc4bfaf39d10b001bb48135b4fccfcfe38135f5d89e5341f2e5cb62
                                                                                                        • Instruction Fuzzy Hash: 60D0C930304208CBCB88DB65E955565B7AA9B8861931098EC990AC7341EB26FC12D650
                                                                                                        Function 04E70F50 Relevance: .0, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7353b5e60b5b8cfc8e5de49a90536d0f2ca95ec696e66ccc3f4945a86a732119
                                                                                                        • Instruction ID: d35a8dda9933c9c68bf125002de46ed8bd9368621b5ec8413f166b6ddc13b5f5
                                                                                                        • Opcode Fuzzy Hash: 7353b5e60b5b8cfc8e5de49a90536d0f2ca95ec696e66ccc3f4945a86a732119
                                                                                                        • Instruction Fuzzy Hash: BFC08C20B813098AFA282BA62B1933ABA4C9B80638F007894780EC5208DC29F8400244
                                                                                                        Function 04E70440 Relevance: .0, Instructions: 12COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 668929314479589ef34a8d691babfe96024d8c674a72d899c79833fdcd1f0405
                                                                                                        • Instruction ID: 13465f0a3bffdd021134bc95516804100ea762c45e18570003ac97ccf1a1c622
                                                                                                        • Opcode Fuzzy Hash: 668929314479589ef34a8d691babfe96024d8c674a72d899c79833fdcd1f0405
                                                                                                        • Instruction Fuzzy Hash: F9C08CB3D645406FE72146014E8B4C23B30EBA07087468261E841A2053A2261C13E2AA
                                                                                                        Function 04E746B0 Relevance: .0, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 28daa7bff891b37497ec59d8e7b37be77b909f58dbee5854754e1391ccf60cf3
                                                                                                        • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                        • Opcode Fuzzy Hash: 28daa7bff891b37497ec59d8e7b37be77b909f58dbee5854754e1391ccf60cf3
                                                                                                        • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                                        Function 04E70E7C Relevance: .0, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: be0410fc2c0e9f2d9ebcb840d18cf7211cba42681bffa4dab516ec2ef17f8544
                                                                                                        • Instruction ID: 74b83e0eda509f83a2f2afbc9cae3fbe347f85ed84c74b4537528d62b94875fb
                                                                                                        • Opcode Fuzzy Hash: be0410fc2c0e9f2d9ebcb840d18cf7211cba42681bffa4dab516ec2ef17f8544
                                                                                                        • Instruction Fuzzy Hash: D6B0124574410052F504E73549D44FAC0829BC0214FC4FC101002E001D5C14F0001004
                                                                                                        Function 04E7CAF0 Relevance: .0, Instructions: 3COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a0b4588c5d8448d0c21b5dd6aa16b9174ae9f5dbc52e31770f537ed1b914c49e
                                                                                                        • Instruction ID: ebc251d19ed82c6be80bec8415aefea45b2134dcf01d0cd94bd5ca8c1f8e3369
                                                                                                        • Opcode Fuzzy Hash: a0b4588c5d8448d0c21b5dd6aa16b9174ae9f5dbc52e31770f537ed1b914c49e
                                                                                                        • Instruction Fuzzy Hash:

                                                                                                        Non-executed Functions

                                                                                                        Function 04E7F7E8 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000003.1839907016.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_3_4e70000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq$,bq$,bq$Hbq$`]cq$`]cq
                                                                                                        • API String ID: 0-2072144370
                                                                                                        • Opcode ID: 68623852fc714f75aa53e91e934a859ba9a7e4d108cb133e0590c0c59e8c1590
                                                                                                        • Instruction ID: 1572587dde137ede3ae68fbf138ce7f463c0a47dd08fb0d8c0548f66cfea2527
                                                                                                        • Opcode Fuzzy Hash: 68623852fc714f75aa53e91e934a859ba9a7e4d108cb133e0590c0c59e8c1590
                                                                                                        • Instruction Fuzzy Hash: AD413A35B041248FEB289F3DA41846D37E6EFCA67632514ABD006DF3A1DE39EC018795

                                                                                                        Executed Functions

                                                                                                        Function 04B250B8 Relevance: 2.8, Strings: 2, Instructions: 283COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ToX$ToX
                                                                                                        • API String ID: 0-2748057555
                                                                                                        • Opcode ID: 40663c18ee8034841bf8c0958dad8e38d531d71933c3c88316d08690666d772e
                                                                                                        • Instruction ID: e64de1d4c4f4f80506e39e2adfe5ccea0b4628537c02620593e39363a4b82591
                                                                                                        • Opcode Fuzzy Hash: 40663c18ee8034841bf8c0958dad8e38d531d71933c3c88316d08690666d772e
                                                                                                        • Instruction Fuzzy Hash: C4B15E70E00229DFDF24CFA9C9857DEBBF1EF88314F148569D819A7294EB74A845CB41
                                                                                                        Function 04B259A8 Relevance: 2.8, Strings: 2, Instructions: 268COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ToX$ToX
                                                                                                        • API String ID: 0-2748057555
                                                                                                        • Opcode ID: 716186100ae02623335a44c0f91db11a88a3ebd0ad487bea1a6a1deace1264a9
                                                                                                        • Instruction ID: a2cf71f2b4af71ba96e6932d90b0fc465f327d4dff2cd72b00304b9eae66bac1
                                                                                                        • Opcode Fuzzy Hash: 716186100ae02623335a44c0f91db11a88a3ebd0ad487bea1a6a1deace1264a9
                                                                                                        • Instruction Fuzzy Hash: 06B14E70E00219EFDB20CFA9D9857DDBBF2EF88314F148569D819E7254EB74A846CB81
                                                                                                        Function 04B250AD Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ToX$ToX
                                                                                                        • API String ID: 0-2748057555
                                                                                                        • Opcode ID: b84360283393652787f52a45b440a0ef5d2d5f03ed9ccd56031bef2c9871f2a7
                                                                                                        • Instruction ID: d0def5bdaccaefe40652802e062e5c4bd1032ee2289ab9a855319de068318da7
                                                                                                        • Opcode Fuzzy Hash: b84360283393652787f52a45b440a0ef5d2d5f03ed9ccd56031bef2c9871f2a7
                                                                                                        • Instruction Fuzzy Hash: D5C15F70E00229EFDF20CFA8DA857DEBBF1EF48318F148569D419A7254EB74A845CB91
                                                                                                        Function 04B2599C Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ToX$ToX
                                                                                                        • API String ID: 0-2748057555
                                                                                                        • Opcode ID: ea4a92f0552b2b5a52005205b40d42fa6e3c10563824f6439f3a7e0694593eb1
                                                                                                        • Instruction ID: f73d72d88bb7748f771a0dcca89d0b3e9cd0adefb659a07241f2b6beb7c9ecba
                                                                                                        • Opcode Fuzzy Hash: ea4a92f0552b2b5a52005205b40d42fa6e3c10563824f6439f3a7e0694593eb1
                                                                                                        • Instruction Fuzzy Hash: B4B14E70E00219EFDB20CFA8CA857DDBBF1EF49314F248569D819E7254EB74A846CB91
                                                                                                        Function 04B21630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q
                                                                                                        • API String ID: 0-355816377
                                                                                                        • Opcode ID: fda9fb6c65f0b36a74d8def1c56f14cbeb7a851691280f56bf14407def0404be
                                                                                                        • Instruction ID: c8c0a5f989b8ed38d33d46eea2a3321f433c1d38d7ab5cac554ceb4f1c4dd33c
                                                                                                        • Opcode Fuzzy Hash: fda9fb6c65f0b36a74d8def1c56f14cbeb7a851691280f56bf14407def0404be
                                                                                                        • Instruction Fuzzy Hash: D351E171B002199FC715DF7CD9506AEBBF6EFC9350B1481AAE819DB364DA30AD02C791
                                                                                                        Function 04B21080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 91e0377372426bf548fb7b840367979b947764012e4fedbdf3be58ec5b6ff80b
                                                                                                        • Instruction ID: f4ba0691ccf2af1beeee9ab87f176c3c0aa5438aa7728dab6fd6f221693156ba
                                                                                                        • Opcode Fuzzy Hash: 91e0377372426bf548fb7b840367979b947764012e4fedbdf3be58ec5b6ff80b
                                                                                                        • Instruction Fuzzy Hash: FF71B635B002249FDB04ABB9C95466EB7A7FFC8700F148469E50AEB3A4DE75EC428751
                                                                                                        Function 04B20E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: d37082054e3640fc558346106daa1189b63014473205d6e3afee059f4fb18af4
                                                                                                        • Instruction ID: eefaceb6cdaee7135002c3942bb8b540a56a22440b053b3caed46001815a979a
                                                                                                        • Opcode Fuzzy Hash: d37082054e3640fc558346106daa1189b63014473205d6e3afee059f4fb18af4
                                                                                                        • Instruction Fuzzy Hash: 2C41E631B401246BEB18AA79D56476F67A6DFC8715F1484B9E90BEB380CE35AC0287D1
                                                                                                        Function 04B20C1C Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (bq
                                                                                                        • API String ID: 0-149360118
                                                                                                        • Opcode ID: 1dc60fa343d92e26304f8eb8189a6dde0011e908af29a99c7bff5eb78067980e
                                                                                                        • Instruction ID: 7cf29c336bcb36312d46ce124a3bdb453d4936903a0e5d2a0b0eb8c8e5ee6d62
                                                                                                        • Opcode Fuzzy Hash: 1dc60fa343d92e26304f8eb8189a6dde0011e908af29a99c7bff5eb78067980e
                                                                                                        • Instruction Fuzzy Hash: 1E513B30B05264AFE704AB68C5547AE7FF2EFC9304F1484AAD50AE7385CE396C06CB91
                                                                                                        Function 04B21378 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ToX
                                                                                                        • API String ID: 0-2955720788
                                                                                                        • Opcode ID: 16b028c43281b34d52cda8cf7367f470c63d6fa864df94a1817a0b7c6ddfb50b
                                                                                                        • Instruction ID: 3f71655e64fd2733db3e79503c8321b9311766ee5bed759fc93b1294037e2af4
                                                                                                        • Opcode Fuzzy Hash: 16b028c43281b34d52cda8cf7367f470c63d6fa864df94a1817a0b7c6ddfb50b
                                                                                                        • Instruction Fuzzy Hash: 5A2113B1D002498FDB10DFAAC584ADEFBB0FF48324F10802AD459A7240C775A946CFA1
                                                                                                        Function 04B21380 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ToX
                                                                                                        • API String ID: 0-2955720788
                                                                                                        • Opcode ID: 5d244f860cfae9ecd84e238f15bbf1b3b58dcde01cd5f981fc99f489079ed81f
                                                                                                        • Instruction ID: c7513188c2f2dd0e64ab7a564ef250120ac55e62f3783947d72abb937f6dfb71
                                                                                                        • Opcode Fuzzy Hash: 5d244f860cfae9ecd84e238f15bbf1b3b58dcde01cd5f981fc99f489079ed81f
                                                                                                        • Instruction Fuzzy Hash: 7A11F2B1D042498FDB20DFAAC584AEEFBF4FF88324F10842AD459A7250C774A945CFA5
                                                                                                        Function 04B21A48 Relevance: .1, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6647ac01953ecc8c683196232cd28508487bfb2b9cd2e7bb19533f41f8fa319f
                                                                                                        • Instruction ID: 0d6cef92ba79dcc5f21d241e8036db166b64cffb12d6d4ade9a5fc9da3a8f3e7
                                                                                                        • Opcode Fuzzy Hash: 6647ac01953ecc8c683196232cd28508487bfb2b9cd2e7bb19533f41f8fa319f
                                                                                                        • Instruction Fuzzy Hash: B1318832B051647FE3189A7DB52922A7B67DBD2304B0A81B7C61DDF242DD25BC0383E2
                                                                                                        Function 04B21D58 Relevance: .1, Instructions: 126COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f0ac54c82ba15dad0081325337c965adea12d299759fa0460051c39e31239ee8
                                                                                                        • Instruction ID: 1f29c3de18559cb744efb0c0da5e63ea62c9f3d93ac0fcef9668b4fe5c9d7599
                                                                                                        • Opcode Fuzzy Hash: f0ac54c82ba15dad0081325337c965adea12d299759fa0460051c39e31239ee8
                                                                                                        • Instruction Fuzzy Hash: 06411A31A05218AFE704DFA8D9207AA7FB6EF99314F1040A9D90ED7391CE35AD42C7D1
                                                                                                        Function 04B21F08 Relevance: .1, Instructions: 115COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 323b1bb48c471146cda621a29829560ece013d79914e868ee02942f10097a5e7
                                                                                                        • Instruction ID: f638ceff9fa6c5681cacb75adfac15f46133523edc944a4fc61b55f783983fca
                                                                                                        • Opcode Fuzzy Hash: 323b1bb48c471146cda621a29829560ece013d79914e868ee02942f10097a5e7
                                                                                                        • Instruction Fuzzy Hash: 7731BD32B052642FD7195A35796162B7F6AEF81340B0580E7D61DCF241DA24BC02C3E1
                                                                                                        Function 04B22268 Relevance: .1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9212709a7555dadc2cb56f000316048c567891978be1780583737ceb977765e1
                                                                                                        • Instruction ID: 8d4bed20b52e24d6d690292ca09b275ab466314084e35d9ebdecb25e32a270f0
                                                                                                        • Opcode Fuzzy Hash: 9212709a7555dadc2cb56f000316048c567891978be1780583737ceb977765e1
                                                                                                        • Instruction Fuzzy Hash: 9F410E75B101189FCB54DF68D98099EBBB6FF8C714B1481A9E909EB360DB31EC42CB90
                                                                                                        Function 04B21072 Relevance: .1, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f693206bf03350e345f8421017b4b6bfdf3b82709d5995d5fd0e869fc75f48ec
                                                                                                        • Instruction ID: f54b2540c9b24b332e1c0c398a45f6577a6e662532efa239d061d4bfa37eb1ce
                                                                                                        • Opcode Fuzzy Hash: f693206bf03350e345f8421017b4b6bfdf3b82709d5995d5fd0e869fc75f48ec
                                                                                                        • Instruction Fuzzy Hash: 83113A32F0123497EB108A798A546FFBBEADB88245F048076D90BD7340EE34ED068791
                                                                                                        Function 04B21BB0 Relevance: .1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1d68a503f3354abea365f9d0689bb33f4553a421afc4064d4b5ce2f3e4e6f348
                                                                                                        • Instruction ID: 05cf7f9c2107e35528090eca1e4f377619d059420e0dd6d8cf958aec6244359d
                                                                                                        • Opcode Fuzzy Hash: 1d68a503f3354abea365f9d0689bb33f4553a421afc4064d4b5ce2f3e4e6f348
                                                                                                        • Instruction Fuzzy Hash: 4B114C29B063A01FE7266A79455436A2F65EBD2254F1880E6DA0A8F342DE24DC03C391
                                                                                                        Function 04B20F20 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bf0679ae1f29e717f756557933b0ae27a5d145a5285ef541d2143550f95e3952
                                                                                                        • Instruction ID: 41f4623ef658bcca02398e004c229625c835f46653bdf4e174738e7c43d7e22b
                                                                                                        • Opcode Fuzzy Hash: bf0679ae1f29e717f756557933b0ae27a5d145a5285ef541d2143550f95e3952
                                                                                                        • Instruction Fuzzy Hash: 2301666AB0A3701BCB252A7D1AA422B7F99DBC2250F0444E6EA0DCB201ED24DC0282E1
                                                                                                        Function 04B22B18 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4e1c065cf39e1065593d21c4678648e97ff97dea9327d2c58495a3960a0da0a
                                                                                                        • Instruction ID: 81f04906273d154edf9df29c14babc3465c6b1b3aa59359b4aafb2494bcf9798
                                                                                                        • Opcode Fuzzy Hash: f4e1c065cf39e1065593d21c4678648e97ff97dea9327d2c58495a3960a0da0a
                                                                                                        • Instruction Fuzzy Hash: DE11E335B001294F9B48BBBC50201AF7AE6EFC461571004B9D80ED7344EF34DD028BD2
                                                                                                        Function 04B22258 Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b12069622665c79ca2a5620a49ec60bb90af50f50514baefd20d02e47f45440b
                                                                                                        • Instruction ID: 1dd7487d575bb8dfe2c70bc16586428fec8688b5ec974311efb73f184e9b3364
                                                                                                        • Opcode Fuzzy Hash: b12069622665c79ca2a5620a49ec60bb90af50f50514baefd20d02e47f45440b
                                                                                                        • Instruction Fuzzy Hash: CB211A75A101189FCB44DF69D88499EBBB5EF8C714B10816AE919EB360DB319842CF90
                                                                                                        Function 04B21958 Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2c920935e75d487b9c5182b40df1aafc83a218efec24da1b91f7430bcd89c05e
                                                                                                        • Instruction ID: 5f25de29f58469f824d7cfd31a94a59489b487c385c1a46b1da3d28b3684a5a4
                                                                                                        • Opcode Fuzzy Hash: 2c920935e75d487b9c5182b40df1aafc83a218efec24da1b91f7430bcd89c05e
                                                                                                        • Instruction Fuzzy Hash: 6A118131A01115FFDB04DFA4D458AA9BBB2EF8C314F144019E80AA7340CB39AD46CF90
                                                                                                        Function 04B21E20 Relevance: .1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b397703fc2bada45ae974614f8b18a6487d73c17c16d4097e4018cf20b04fffd
                                                                                                        • Instruction ID: 938a8e4285f8bc3ec94f2ffaa23f2f84ffa950bb4bf93b53d8d5be735115788f
                                                                                                        • Opcode Fuzzy Hash: b397703fc2bada45ae974614f8b18a6487d73c17c16d4097e4018cf20b04fffd
                                                                                                        • Instruction Fuzzy Hash: 3C114234E01114BFEB04DFA8D954AA9BBB7EF9C315F144469D40AA7390CF39AD46CB90
                                                                                                        Function 04B22B08 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 54a177134e22717cd0fc1db5eb64602d45157291a8036d9c0503a14dbdc294bc
                                                                                                        • Instruction ID: 4845243f65f627b6574ba5b358b0cab634727ddeaee14cf7fb4f9b7ab0d89fe8
                                                                                                        • Opcode Fuzzy Hash: 54a177134e22717cd0fc1db5eb64602d45157291a8036d9c0503a14dbdc294bc
                                                                                                        • Instruction Fuzzy Hash: 8301B535B006258F9B59AB7851642AE7BE2AFD420971044B9D80EDB354EF38D9038BD1
                                                                                                        Function 04B21968 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2586fe76c25232064cb112a98c0ee16298eb22da8b7b9b1b9c7f0e9dc6d20762
                                                                                                        • Instruction ID: 659d1c02cec0ba2c224bf679b3be26bf791978008bcddcf3af4126455ca91429
                                                                                                        • Opcode Fuzzy Hash: 2586fe76c25232064cb112a98c0ee16298eb22da8b7b9b1b9c7f0e9dc6d20762
                                                                                                        • Instruction Fuzzy Hash: 5D113D71A01115BFDB04DFA4D458AA97BB6EF8C311F144029E40AA7390CF799D86CB91
                                                                                                        Function 04B22A68 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6003b379b2651a287af490e8613af4344204377246fb580f48618fef6f4537d8
                                                                                                        • Instruction ID: d0cda2d799ad7ae97bae5176b75efc9f4bcfce49b72245b02ba9858b918a99c0
                                                                                                        • Opcode Fuzzy Hash: 6003b379b2651a287af490e8613af4344204377246fb580f48618fef6f4537d8
                                                                                                        • Instruction Fuzzy Hash: 5101C075B00225CFD714AFB8E4157AE3BF1EB89315B20506AD50ADB760EB31E902CBC0
                                                                                                        Function 04B21440 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bfc94c8ad3af27fde3edcf8be52e27bd04bca99277e6f9464b3c7a6f0c6e0135
                                                                                                        • Instruction ID: c331168da5eab60ac4bddb803f562775ddcb9a98d776b2c7c8a3c69aca95b4a1
                                                                                                        • Opcode Fuzzy Hash: bfc94c8ad3af27fde3edcf8be52e27bd04bca99277e6f9464b3c7a6f0c6e0135
                                                                                                        • Instruction Fuzzy Hash: A001DF30A0A2491FDB099F7D66392263FA9EFC1608B0508EEC65ECF251E925D90787C2
                                                                                                        Function 04B2182A Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4fe8cee1b4be63402ccc78a6f3269ab8722e7d0fa349fa3c1c1f0bc4981648cf
                                                                                                        • Instruction ID: 2778f2f9165ceea38c8d4f5f80f86d202331e19582a19972d429689303512620
                                                                                                        • Opcode Fuzzy Hash: 4fe8cee1b4be63402ccc78a6f3269ab8722e7d0fa349fa3c1c1f0bc4981648cf
                                                                                                        • Instruction Fuzzy Hash: 7D01A731A0012597F714BA6C86947EF77F6DB88704F1044ADD506BB394CE756D018BD1
                                                                                                        Function 0488D01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.1845754303.000000000488D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0488D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_488d000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 06951f4b0f9d0a4f3cef0c434f6c7275f192a78bce5badcccbf1aa06e8d59fba
                                                                                                        • Instruction ID: 99490fdb3df4295f7003d111b693d93c00be9724532c17ea63cf81b3a17f3844
                                                                                                        • Opcode Fuzzy Hash: 06951f4b0f9d0a4f3cef0c434f6c7275f192a78bce5badcccbf1aa06e8d59fba
                                                                                                        • Instruction Fuzzy Hash: 5101A7715083449AE720BE25ED84767BFD8EF41324F18CA2EED488B2C6D679E845C6B1
                                                                                                        Function 0488D007 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.1845754303.000000000488D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0488D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_488d000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3f84ba9a762c9bd83208d281ab5c0362075eeff6e96fb9f58b26254da538c09b
                                                                                                        • Instruction ID: a866a2c30ab5ae7eda4876b2af92d1630ccba78603e07b5ee5efa7a29f141bbe
                                                                                                        • Opcode Fuzzy Hash: 3f84ba9a762c9bd83208d281ab5c0362075eeff6e96fb9f58b26254da538c09b
                                                                                                        • Instruction Fuzzy Hash: B8014C6100E3C09ED7129B259C94B52BFB4EF53224F19C5DBD888CF1A7C2699849C772
                                                                                                        Function 04B22997 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f47ce7e55b952da2150efcd936e41287ccc53ab4022f6e361fdbf3f004916614
                                                                                                        • Instruction ID: 34b79144a4da631b8c00908205d7911d8062dd3b963349d708af1979623913c6
                                                                                                        • Opcode Fuzzy Hash: f47ce7e55b952da2150efcd936e41287ccc53ab4022f6e361fdbf3f004916614
                                                                                                        • Instruction Fuzzy Hash: CC01F4302013545FEB19ABB4EA047493F61EF4120474485BDE50BCFAA5DE65E88783D5
                                                                                                        Function 04B22A78 Relevance: .0, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 09849eb0f8128032c97ee9d53b1f43a6c8293c3e7093bd3e5a434c21ef69d261
                                                                                                        • Instruction ID: 9304fc50491cf313fa059433a7af7ff866c1c83ecce986f21208de87e0d25579
                                                                                                        • Opcode Fuzzy Hash: 09849eb0f8128032c97ee9d53b1f43a6c8293c3e7093bd3e5a434c21ef69d261
                                                                                                        • Instruction Fuzzy Hash: B5016D39B002158FC704EF78D4056AE3BF5EB89615B10006AE509DB350EB319942CBD1
                                                                                                        Function 04B229A8 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d8eb42565009a490cc8c0dba8a15e7262b41ebfffff99aa793ff0613c09ae12b
                                                                                                        • Instruction ID: 82f97bbe7839c7d5214407318d01c101ef8487345a5895d8a145a959b29ab2c0
                                                                                                        • Opcode Fuzzy Hash: d8eb42565009a490cc8c0dba8a15e7262b41ebfffff99aa793ff0613c09ae12b
                                                                                                        • Instruction Fuzzy Hash: A4F0B4303002145FEB08BBB4DA0475A3B56EB80604B448678E50BCF664DF75E84697D5
                                                                                                        Function 04B21431 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f3b6e32bd6c13c5f5d545cecb99a3532c3db2fe82c72560f58bb6b74fe2d0f01
                                                                                                        • Instruction ID: bdc88ac0d7d6ad35c8c88fef33891bec7458005d61cd0b1a32b640ff2654c9e3
                                                                                                        • Opcode Fuzzy Hash: f3b6e32bd6c13c5f5d545cecb99a3532c3db2fe82c72560f58bb6b74fe2d0f01
                                                                                                        • Instruction Fuzzy Hash: DFF09030E422051EEB0C9F7D52392567F9AEFD0A0870408BE825E8F150E925D9478BC2
                                                                                                        Function 04B22A20 Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 664e3cb2c996f2439ae2a0f1a233d69060d16e63ad5542f6b0321e4cc0979739
                                                                                                        • Instruction ID: fd39264cf34a05c2662cec667951a37f75eb790087f1cf1b3f65e98e84b7c51d
                                                                                                        • Opcode Fuzzy Hash: 664e3cb2c996f2439ae2a0f1a233d69060d16e63ad5542f6b0321e4cc0979739
                                                                                                        • Instruction Fuzzy Hash: BBE0D82070B6709FA72A167165142BE3B999D4361170640E6E81FC6591DA0C9D434755
                                                                                                        Function 04B25EB0 Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9073e597f74619ce49698ef0c2d563a241c390de4c05199af178d82496396d31
                                                                                                        • Instruction ID: 7c891803b92c2f47775e1665ebba6d775ddead99218cc837444ad55bf1222c1c
                                                                                                        • Opcode Fuzzy Hash: 9073e597f74619ce49698ef0c2d563a241c390de4c05199af178d82496396d31
                                                                                                        • Instruction Fuzzy Hash: 8AE02B326096604FD7018338E0606993FB4CF4BA28F1200EBD20ACF363C941CC0383CA
                                                                                                        Function 04B22A30 Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 761ff1efb562a2c4f937684ebf75de6f6ca1b236cb3a47a90470e1e60d5842da
                                                                                                        • Instruction ID: aa242f7dabbad81e0f23dbead8f28851fb0461a326f3d83db6de59372601ba9b
                                                                                                        • Opcode Fuzzy Hash: 761ff1efb562a2c4f937684ebf75de6f6ca1b236cb3a47a90470e1e60d5842da
                                                                                                        • Instruction Fuzzy Hash: AAD02B3031313497DB2C19B665042BE358CDB43651F4100E5F41FC2280DF0CDD434784
                                                                                                        Function 04B217F0 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1bfb7fca95d3311392cd063a3a271fd5c5f8995544127e64b1d1d1e13b6035e0
                                                                                                        • Instruction ID: 4fc58aefc0c30396fdd88b4fa1f16e6b6d5b86f654514686d530af979282b6c6
                                                                                                        • Opcode Fuzzy Hash: 1bfb7fca95d3311392cd063a3a271fd5c5f8995544127e64b1d1d1e13b6035e0
                                                                                                        • Instruction Fuzzy Hash: 77D02B3311D6541FC3066B60E4610E57FB4D75B12030580F3E9868B762CD214D02C3D1
                                                                                                        Function 04B22959 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9c730dc1b38eb83a6e98bdd1d5bd21e429ced4934e0a93a753b44415847193fb
                                                                                                        • Instruction ID: b58e8b9f8c4ce6a83d2f530642909f74c0efcfb67fb1dce19f378860c37c93c1
                                                                                                        • Opcode Fuzzy Hash: 9c730dc1b38eb83a6e98bdd1d5bd21e429ced4934e0a93a753b44415847193fb
                                                                                                        • Instruction Fuzzy Hash: 2BE0DF7090A2488FDB05CBB0E91029D7FF5DA0220872185EBD448D7362DA305E08C780
                                                                                                        Function 04B20C48 Relevance: .0, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e812d793f9cce4e4f7f7c31ea18da21209ca08e37cbd474a5313472c61001d96
                                                                                                        • Instruction ID: bba9e354e037f8c6190356dfa3d032c890d50191271e05aeee4a0be7f82675cf
                                                                                                        • Opcode Fuzzy Hash: e812d793f9cce4e4f7f7c31ea18da21209ca08e37cbd474a5313472c61001d96
                                                                                                        • Instruction Fuzzy Hash: E3D0A931350220ABD604A76CE45097E7399DB8A72AB0008AAF20ECB324CD92FC000689
                                                                                                        Function 04B20C0C Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 53791ee3cc9f075628f8531a7980c153e609b1cf44fd622eb67ec868964c5df8
                                                                                                        • Instruction ID: 9abf17fc884f2ce94353093ce5258f27b81e6d48e331e2e81f7672f0f0c57762
                                                                                                        • Opcode Fuzzy Hash: 53791ee3cc9f075628f8531a7980c153e609b1cf44fd622eb67ec868964c5df8
                                                                                                        • Instruction Fuzzy Hash: 0CD0A93232002C6B96047658D98697ABBA9EB893A03108473FA0A83228DD70BC4093D9
                                                                                                        Function 04B22968 Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2c5a753f3605231597dfc89a70ddc56c97b7ec7f4a87338a3e8ec301b4c47e18
                                                                                                        • Instruction ID: ab260c6b064c6da8860e58badb1873c47fe48cf7e598a62a3e2c451109de44ed
                                                                                                        • Opcode Fuzzy Hash: 2c5a753f3605231597dfc89a70ddc56c97b7ec7f4a87338a3e8ec301b4c47e18
                                                                                                        • Instruction Fuzzy Hash: 6AD05E7090120DDFCB04DFB5E941A5DBFF9EB44204B2086A6D408D3710EB305E04CBC0
                                                                                                        Function 04B20440 Relevance: .0, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7e27fccf46952c05696340ab25ab87f9cd333be157f82cade43f645fc6d68dc2
                                                                                                        • Instruction ID: a4c3eb4b27fc29eedc37366cf121e74aa777de5207efdbed3e5ba7a1a61e9e51
                                                                                                        • Opcode Fuzzy Hash: 7e27fccf46952c05696340ab25ab87f9cd333be157f82cade43f645fc6d68dc2
                                                                                                        • Instruction Fuzzy Hash: DCC08CB2E106308BE1048A0C42886E67320EF3160EF84C0ABC2480C005E23340178A54
                                                                                                        Function 04B20E7C Relevance: .0, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000003.1845161190.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_3_4b20000_rundll32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7356bb8d233420a2ee719d47cc0d75882c61b515249a53c2ce49be8884b42265
                                                                                                        • Instruction ID: 1842dd364b7abf90dd723d5fe10f59d78a88b63d04ebb27c723592d28f7cc1ab
                                                                                                        • Opcode Fuzzy Hash: 7356bb8d233420a2ee719d47cc0d75882c61b515249a53c2ce49be8884b42265
                                                                                                        • Instruction Fuzzy Hash: 8CB01285685010177600B7394AD44F78096A6C0204BC4CC901107A001C5C24F0001004

                                                                                                        Executed Functions

                                                                                                        Function 00007FFD9B40C922 Relevance: .5, Instructions: 463COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 87ead7b3d215cc8d0036910d4282737c0a6f778c9452f4c8bff49f029845b155
                                                                                                        • Instruction ID: da7381d3b1c1dc33d962bfbd46504d753a2822ee463a1413f143e0dcff2e9a3a
                                                                                                        • Opcode Fuzzy Hash: 87ead7b3d215cc8d0036910d4282737c0a6f778c9452f4c8bff49f029845b155
                                                                                                        • Instruction Fuzzy Hash: 2DE1D630A09A4D8FEBA8DF28D8657E977E1FF54310F04426ED84DC72A6CF7899458B81
                                                                                                        Function 00007FFD9B40172D Relevance: .1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9652f4e5ad7dd68c3be8cd90aae2e41e094ff0ebd1f4dd69609746ce4cb8fccd
                                                                                                        • Instruction ID: f5cbb0c5a7781673340c25b5ed61f958b9060c293f3c61ba9af11426d82422f7
                                                                                                        • Opcode Fuzzy Hash: 9652f4e5ad7dd68c3be8cd90aae2e41e094ff0ebd1f4dd69609746ce4cb8fccd
                                                                                                        • Instruction Fuzzy Hash: 56318B71E1952D8FDBA9DF44C4A07E8B3B1FF49304F5141E9D44E93295CA38AA81DF40
                                                                                                        Function 00007FFD9B401A34 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 05653174d4b3cf0802f03d56d3d335d65786a43a3306151a7fee8620a13686c8
                                                                                                        • Instruction ID: 5184c1b4c0553950f1eae91787fa2cf2176f4ec2bb7b0b4e336aafb559e9491e
                                                                                                        • Opcode Fuzzy Hash: 05653174d4b3cf0802f03d56d3d335d65786a43a3306151a7fee8620a13686c8
                                                                                                        • Instruction Fuzzy Hash: 47012930D4E25E8BD3659EA0C4657F9F1B4AF07304F513479D059672A2CA7D9644EF08
                                                                                                        Function 00007FFD9B401FAC Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3c85c5057ce4649cbc2f7edf105466da27b462ab11402752328db9ab9e03658
                                                                                                        • Instruction ID: f7120b462b2451cf2f06b9a86fc88491f0fe3f49fecaba10a376bac09cfd733f
                                                                                                        • Opcode Fuzzy Hash: c3c85c5057ce4649cbc2f7edf105466da27b462ab11402752328db9ab9e03658
                                                                                                        • Instruction Fuzzy Hash: C2014C31E1552D8BDBA59F68C8A53F8B2A1EF05605F4140B9E05D922A2CE342FC5EF00
                                                                                                        Function 00007FFD9B40596C Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: L_^
                                                                                                        • API String ID: 0-3811526842
                                                                                                        • Opcode ID: 4d68baa9322ba15718a9d258d9e264d1bf0391712c285cbfc5fe4322f27df469
                                                                                                        • Instruction ID: 024706ef27ee55003ce8a1d703f6632d3a61427a13c05aa146e35ea4a4afea0a
                                                                                                        • Opcode Fuzzy Hash: 4d68baa9322ba15718a9d258d9e264d1bf0391712c285cbfc5fe4322f27df469
                                                                                                        • Instruction Fuzzy Hash: CCC13C22B1E6560FD365BBB8E8A61F87BB0EF42325B0501FBC0D9CB0E3E91C15499791
                                                                                                        Function 00007FFD9B4F0853 Relevance: 1.0, Instructions: 953COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908815650.00007FFD9B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b4f0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5bc0a10282c0ddc3577d519fe9fb244ba4386edfe1ed6328b2ebdcaa43564b24
                                                                                                        • Instruction ID: 90e7f3b2bcdd80831a6921f9eec485f1122e4913dbd21bbdc6205d4296b5dddd
                                                                                                        • Opcode Fuzzy Hash: 5bc0a10282c0ddc3577d519fe9fb244ba4386edfe1ed6328b2ebdcaa43564b24
                                                                                                        • Instruction Fuzzy Hash: 2DF12B30B0DA494FE7A99B6C98296747BD1EF96714B0502FED08EC72F7DD18AC428781
                                                                                                        Function 00007FFD9B400E53 Relevance: .6, Instructions: 564COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 95b476670aaf8b63c8f7f941e84f3aa9a6c082663085ff7b1789a4cc43d4e681
                                                                                                        • Instruction ID: b07f9831c30cde5215d847cd44994d168b498d2f58d698d8cf6393da506ae384
                                                                                                        • Opcode Fuzzy Hash: 95b476670aaf8b63c8f7f941e84f3aa9a6c082663085ff7b1789a4cc43d4e681
                                                                                                        • Instruction Fuzzy Hash: 56225C70A1951D8FDB99EF24C8A4BA9B3A2FF59308F5040FDD01ED7295DA35AA81CF10
                                                                                                        Function 00007FFD9B40B679 Relevance: .4, Instructions: 417COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 35ceb7f8e42b2edc9a13ccba4401351e6534100e3bc0f9c02b033fe0b2d7d8dc
                                                                                                        • Instruction ID: 7155f92672e27a93cfb87ec48cf3e9dbcf91c8f124441adf627a4d76921516f0
                                                                                                        • Opcode Fuzzy Hash: 35ceb7f8e42b2edc9a13ccba4401351e6534100e3bc0f9c02b033fe0b2d7d8dc
                                                                                                        • Instruction Fuzzy Hash: 25D1B730A1CA8D8FEB68DF28C8557E977E1FF59310F04426EE84DC7295CB74A9458B82
                                                                                                        Function 00007FFD9B406772 Relevance: .4, Instructions: 369COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c2b417ebe3cec7cf4e3263d21461e63e3039fa5f7ffbf4e819b0d886bc4aa81d
                                                                                                        • Instruction ID: f86597061f5b16d87e31f2f41e78c4de2b6254768b3164e2c7aaba9a47c663f3
                                                                                                        • Opcode Fuzzy Hash: c2b417ebe3cec7cf4e3263d21461e63e3039fa5f7ffbf4e819b0d886bc4aa81d
                                                                                                        • Instruction Fuzzy Hash: 63C12971A0E68E4FE7A5DB68C8659A53BE0EF12314F0901F9D4DBCF1F3DA28A9059740
                                                                                                        Function 00007FFD9B4F0001 Relevance: .3, Instructions: 344COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908815650.00007FFD9B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b4f0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a0b340c8b433ad6461e301bc4b8980eb9c179b2fa927deadacc4e5350863e106
                                                                                                        • Instruction ID: e6164326a316b4e804178a26154c6fbaf6396d4d9ae50caeaf09ad9630cc5acf
                                                                                                        • Opcode Fuzzy Hash: a0b340c8b433ad6461e301bc4b8980eb9c179b2fa927deadacc4e5350863e106
                                                                                                        • Instruction Fuzzy Hash: 22A1087170EB894FD769DB6C98655347FE1EF9A710B0A01FBD489C72A7DE18AC028341
                                                                                                        Function 00007FFD9B40C536 Relevance: .3, Instructions: 336COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b99df05da1706abad6179b23068081499ebf1e1623fb3a49d30dc67aa4a568c7
                                                                                                        • Instruction ID: e7a3ad0fa269a4aa612f9f948a400e045ec8c2c56afb5e3d5ca05295ac4f9859
                                                                                                        • Opcode Fuzzy Hash: b99df05da1706abad6179b23068081499ebf1e1623fb3a49d30dc67aa4a568c7
                                                                                                        • Instruction Fuzzy Hash: 9EB1A43060DA8D8FEB69DF28C8557E93BE1FF55310F04426EE88DC7296CB7499458B82
                                                                                                        Function 00007FFD9B40D7BE Relevance: .3, Instructions: 322COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 74829405648691d590c278ef882889f0b3ba6f8d47d75dd64b62bd5281662e28
                                                                                                        • Instruction ID: a0fb8fd839557440aeb86475550663b055583b131b6a9352669237645bcdcf9a
                                                                                                        • Opcode Fuzzy Hash: 74829405648691d590c278ef882889f0b3ba6f8d47d75dd64b62bd5281662e28
                                                                                                        • Instruction Fuzzy Hash: 9BB1C674A08A5D8FDF94EF68C894BA8B7F1FF69300F0141AAD04DE7261DA34A985CF41
                                                                                                        Function 00007FFD9B407A45 Relevance: .3, Instructions: 275COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 80a4bab15b60cb61123f7e2fb41029d0478c9f0ae1918778d53e1b46fbc40e1c
                                                                                                        • Instruction ID: 6996c66278050beac68ace9d256df2412e9e28b2af454106deaaee5f29f96148
                                                                                                        • Opcode Fuzzy Hash: 80a4bab15b60cb61123f7e2fb41029d0478c9f0ae1918778d53e1b46fbc40e1c
                                                                                                        • Instruction Fuzzy Hash: B291D13090E78D9FD752DBA4C819AE9BFF0EF06310F0501FAD099DB1A2DA2C5945DB52
                                                                                                        Function 00007FFD9B401AC8 Relevance: .3, Instructions: 267COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a1de0fcffb8032eb2ab4703d165b271f8e86d69dbf1bc57362a4e04e56fc8dfd
                                                                                                        • Instruction ID: f1421e75a14f72e54453129084b2a9e1a72e2c16d76cba2d3f5c024c8f657ed5
                                                                                                        • Opcode Fuzzy Hash: a1de0fcffb8032eb2ab4703d165b271f8e86d69dbf1bc57362a4e04e56fc8dfd
                                                                                                        • Instruction Fuzzy Hash: 8AA1AE71D0A26D8FDBA5CB64C8587E8BBF1EF05310F1440F9D099A72A2CA781E85DF00
                                                                                                        Function 00007FFD9B40347E Relevance: .2, Instructions: 196COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2dd325bc5fe9ac6232d2b4facd97531460ce63247d9201b0bf2da8a3267e89ba
                                                                                                        • Instruction ID: 622256a90f95d5b633f7d884b7d4bb30396def46bf0e4db10c5f31ca964a7061
                                                                                                        • Opcode Fuzzy Hash: 2dd325bc5fe9ac6232d2b4facd97531460ce63247d9201b0bf2da8a3267e89ba
                                                                                                        • Instruction Fuzzy Hash: 75616070E0A65D8FDBA5DB98C4657ACBBB0FF59304F5101B9C04EE72A1DA396981DF00
                                                                                                        Function 00007FFD9B40946C Relevance: .2, Instructions: 195COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: be62da0742c088331f092424bda9ae4aa755d2279fd4cd31da7208f9e3efc596
                                                                                                        • Instruction ID: da8209d4f93b641d399bb3cc2842258f0d33f72048b6ffcc3da26896670a7b67
                                                                                                        • Opcode Fuzzy Hash: be62da0742c088331f092424bda9ae4aa755d2279fd4cd31da7208f9e3efc596
                                                                                                        • Instruction Fuzzy Hash: DA518231D18A1C8FDB68DB58D855BE9BBF1FF59310F0082AAD04DD3292DE34A9858F81
                                                                                                        Function 00007FFD9B40E641 Relevance: .2, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2faaa188a22cf9a3be39b5347ca8dc498566d8afdf3652b65e073351f640fca0
                                                                                                        • Instruction ID: e624a01af8c2e08463c4d1a5a4e5db5b236b5dce46a650153152399bf3b348a9
                                                                                                        • Opcode Fuzzy Hash: 2faaa188a22cf9a3be39b5347ca8dc498566d8afdf3652b65e073351f640fca0
                                                                                                        • Instruction Fuzzy Hash: F0516A30E0950D8FDB98EFA8D4A5AFDB7B1FF59300F510479E04AE72A1DA34A951CB40
                                                                                                        Function 00007FFD9B408570 Relevance: .2, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a9dc620f569d71288b2ab214c178c8063ea220035b494c5eb6ca733b98596eda
                                                                                                        • Instruction ID: 6d1394808864305f01b734d0576702203adeb475ff9c40919d7cb10ba09103cd
                                                                                                        • Opcode Fuzzy Hash: a9dc620f569d71288b2ab214c178c8063ea220035b494c5eb6ca733b98596eda
                                                                                                        • Instruction Fuzzy Hash: 6F516170E0991D8FDBA8EB58D498BECB7B1EB68305F1040AAD05DE3291DB749A80DF40
                                                                                                        Function 00007FFD9B4F04DE Relevance: .1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908815650.00007FFD9B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b4f0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 339ed134ed850edcaf1cba7213bd985bd1d21609c7c41992f4be94dacecc63f1
                                                                                                        • Instruction ID: f023a3ddfab22fc98221fb652df407a71a4012d7c8bd434a435ade7974d9c177
                                                                                                        • Opcode Fuzzy Hash: 339ed134ed850edcaf1cba7213bd985bd1d21609c7c41992f4be94dacecc63f1
                                                                                                        • Instruction Fuzzy Hash: 3B412B22B0EB894FD792DB7C48655643FE1EFA661430A01FBD049C73B7D958AC46C351
                                                                                                        Function 00007FFD9B4063FB Relevance: .1, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 18b647d6a9554285d49b3ce543dab477344638dbd95cc023d6aa0268d3fa6f70
                                                                                                        • Instruction ID: 5a99d7879e4fd6911f3e3154f4656edbc6ae3ca60baf7a76b71e8c08d1436e5f
                                                                                                        • Opcode Fuzzy Hash: 18b647d6a9554285d49b3ce543dab477344638dbd95cc023d6aa0268d3fa6f70
                                                                                                        • Instruction Fuzzy Hash: 22411671B0EB9E0FDB91EFA8D8615F93BA0FF55314B0101B6D499CB0A6CE34A906C341
                                                                                                        Function 00007FFD9B408372 Relevance: .1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3eaa67d75c3c003e46cce62728450797117d67d5f2de2d781303bb076f003529
                                                                                                        • Instruction ID: 3819b54ce6f998fd26b5ade15addb8250014d3fc940b8b903964920a9bbaa655
                                                                                                        • Opcode Fuzzy Hash: 3eaa67d75c3c003e46cce62728450797117d67d5f2de2d781303bb076f003529
                                                                                                        • Instruction Fuzzy Hash: 24411970A09A1D8FDB94DBA8C894BEDB7F1FF59305F4140A9D04DE7261CB396981DB01
                                                                                                        Function 00007FFD9B403368 Relevance: .1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4709c626be7fb04239faedc8c37d014a7883abb05bd3cfedce7f0190f529281c
                                                                                                        • Instruction ID: 3d42316a701cbe73b7d35e829c3dda04c8a88671a34352110b16eb935ee1da54
                                                                                                        • Opcode Fuzzy Hash: 4709c626be7fb04239faedc8c37d014a7883abb05bd3cfedce7f0190f529281c
                                                                                                        • Instruction Fuzzy Hash: 63317C30A0A79E8FD7A5DB68C8557A87BF1EF46314F0100FAC08DD71A2DA795D85CB01
                                                                                                        Function 00007FFD9B401980 Relevance: .1, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cfab1c54a0cad6fd271384e55ced09e8023879953841c53b5b29669be9f4572a
                                                                                                        • Instruction ID: 5bd04c5b29b4ca648c9d906f6903db7f30cc1f8bd4d7db0e68f33d2950505c57
                                                                                                        • Opcode Fuzzy Hash: cfab1c54a0cad6fd271384e55ced09e8023879953841c53b5b29669be9f4572a
                                                                                                        • Instruction Fuzzy Hash: C0314330D1A25E8FD7699FA0C4687F9B2B0AF06304F1114BDE05A672E1CB785B84EF04
                                                                                                        Function 00007FFD9B404EFA Relevance: .1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fe5c846a632b014e893beefe4aef3d1f36a8bd3cfca1b40db76d0c285585bd72
                                                                                                        • Instruction ID: 8539800a3eb4f835ec05304bf776e0bb334a2a141bb2b0ae4828ff15a85bcbef
                                                                                                        • Opcode Fuzzy Hash: fe5c846a632b014e893beefe4aef3d1f36a8bd3cfca1b40db76d0c285585bd72
                                                                                                        • Instruction Fuzzy Hash: 9C21F732A0EA9D0FD755EFA8D8615E67BB0FF45310B0502BBD458C71A3CD645945C391
                                                                                                        Function 00007FFD9B407DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8c03abaa1f9ea2358cb72cbfe9e65c28364fedd6b05b7c87ddfdf2ce24e0d4f2
                                                                                                        • Instruction ID: 2ac671beba749ab7e52eb71601376e89e0a3dfe237efeb2327cd3692f66f12ab
                                                                                                        • Opcode Fuzzy Hash: 8c03abaa1f9ea2358cb72cbfe9e65c28364fedd6b05b7c87ddfdf2ce24e0d4f2
                                                                                                        • Instruction Fuzzy Hash: 6A219070E19A5D9FEB91EBA8C859AEDBBF1FF58314F10007AD048E32A2DB345845CB41
                                                                                                        Function 00007FFD9B40E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 72dcdaf90f16110a593f6ff2666cf74e287fef39fdb1dd39b284515a2e06257e
                                                                                                        • Instruction ID: c7d919226565deaed7ed4a225f401e56b0d790f4bf0835587a7e9bb9df420711
                                                                                                        • Opcode Fuzzy Hash: 72dcdaf90f16110a593f6ff2666cf74e287fef39fdb1dd39b284515a2e06257e
                                                                                                        • Instruction Fuzzy Hash: FA212630E4965D8FDB58DBA4D820AFEB7B1FB49300F0501BAE049D72A2DB34A950CB50
                                                                                                        Function 00007FFD9B40D20F Relevance: .1, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f8adeaeef5992a973adb2b7b2bfc563401e4cce22c154c253f36fa8dade76af9
                                                                                                        • Instruction ID: f5d9eef563f21fe05a9199fcfb6208ba79ad146b7ca6b0faa57f9a6f2abf4639
                                                                                                        • Opcode Fuzzy Hash: f8adeaeef5992a973adb2b7b2bfc563401e4cce22c154c253f36fa8dade76af9
                                                                                                        • Instruction Fuzzy Hash: 67212730E1960DDFDB98DBA4C8616ECB7B1FF59304F510079D44AE32A1CB38A985DB41
                                                                                                        Function 00007FFD9B401B2F Relevance: .1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e867a3c152e39c0df40984513925e6bfa82c37cb8d3894a9fed0ab0438e29c90
                                                                                                        • Instruction ID: efcea92b0f692af277bb699939298f3b626342ae1410ab560555280cdffc7755
                                                                                                        • Opcode Fuzzy Hash: e867a3c152e39c0df40984513925e6bfa82c37cb8d3894a9fed0ab0438e29c90
                                                                                                        • Instruction Fuzzy Hash: 1931F93090962C8FDBA9DB68C855BE8B7F1EF59301F1001E9D05EE72A1CA785E85CF40
                                                                                                        Function 00007FFD9B401E23 Relevance: .1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e2d08614efe2103976d736620f72bba710dc5d85c673aafb4e5faf88008ac065
                                                                                                        • Instruction ID: 09b6b5874872dadd98be72ff4a4223a04ae1734e2f52f2c79c85a38574498854
                                                                                                        • Opcode Fuzzy Hash: e2d08614efe2103976d736620f72bba710dc5d85c673aafb4e5faf88008ac065
                                                                                                        • Instruction Fuzzy Hash: C6314970E0A62D8FEBA5DB64C8557E8B6F0EF14304F4041E9E48CD32A2DA785E85DF40
                                                                                                        Function 00007FFD9B40D132 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 97fe3806494eb6ada32f7e40ab050514e7694e56a822546735506a328343fe4c
                                                                                                        • Instruction ID: 443efa6c3d5865272b7928a3cb07313e70c274b3762a12fdc72ae2585103ef87
                                                                                                        • Opcode Fuzzy Hash: 97fe3806494eb6ada32f7e40ab050514e7694e56a822546735506a328343fe4c
                                                                                                        • Instruction Fuzzy Hash: 8F11C43190EB8D5FDB969BB4C8246E8BFF1EF06304F4501BAD488D71E2DE286949D701
                                                                                                        Function 00007FFD9B40483D Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8c329662298750dc0d88fd856d6015941962d7cd83003ef4648221e8bff321e7
                                                                                                        • Instruction ID: a8d77566a9321222f7594c5a33769a3307908203776f4edb3b93239c9f909e68
                                                                                                        • Opcode Fuzzy Hash: 8c329662298750dc0d88fd856d6015941962d7cd83003ef4648221e8bff321e7
                                                                                                        • Instruction Fuzzy Hash: 7A11CA26A0E5DD0BEB24BF68D8B15F93B70FF45218F0606B6D498870E3ED2965458281
                                                                                                        Function 00007FFD9B4079CC Relevance: .1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c4a5adb9351f2630b196334fc2c8ea324bd3462f55cb305493e9390a1044d3e7
                                                                                                        • Instruction ID: d234a09ad8df5265862a056a4368e070a3ce1938584919b51547c681339e95d8
                                                                                                        • Opcode Fuzzy Hash: c4a5adb9351f2630b196334fc2c8ea324bd3462f55cb305493e9390a1044d3e7
                                                                                                        • Instruction Fuzzy Hash: B3012620F15A4D4FE790EBDCA8299FDB7F4EF80261B800076D069C71A1E9182C468702
                                                                                                        Function 00007FFD9B403B7D Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2300ea77ef0fc2898018937509c7648b2d8928d96937578c5f3002fb37b4ae80
                                                                                                        • Instruction ID: 232743bf23f26c65873e4655af7b8e6e5da854582617908ddc386ffaf2692d05
                                                                                                        • Opcode Fuzzy Hash: 2300ea77ef0fc2898018937509c7648b2d8928d96937578c5f3002fb37b4ae80
                                                                                                        • Instruction Fuzzy Hash: 8F112132E0D68D8FDB509BA4C4666EEBBB0EF06314F0102BAE009E71D3DB7C65488B41
                                                                                                        Function 00007FFD9B4084C0 Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c216557f84ec15528304e73f99b3ae682818fb5ef19984bac4ec3741052590dc
                                                                                                        • Instruction ID: 9e85c4e8f69c715833b9e5646035b53b803ac718ec6748531e7d593e732f5b9b
                                                                                                        • Opcode Fuzzy Hash: c216557f84ec15528304e73f99b3ae682818fb5ef19984bac4ec3741052590dc
                                                                                                        • Instruction Fuzzy Hash: A511A230E0A91DCFDBA4DB98D494AECBBB0EF69315F4110A9D04DE3251DB35AA80DB01
                                                                                                        Function 00007FFD9B401EA1 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 755ca9860443a4ea0a7f65c64c03a5cad8d85f347cee905f831bde9a5deda75e
                                                                                                        • Instruction ID: 50d9a30fc62ebe0b90cbb11e2192cd1193c31dd9eed3fb86f7f948ab2d42f677
                                                                                                        • Opcode Fuzzy Hash: 755ca9860443a4ea0a7f65c64c03a5cad8d85f347cee905f831bde9a5deda75e
                                                                                                        • Instruction Fuzzy Hash: 38114970E0962D8FEBB5DA54C8593E8B3F1EB64304F0041F9E08C93261DA785E859F80
                                                                                                        Function 00007FFD9B400C89 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 659c37c838df1e203522add273120eebc47cc15d55e91e5355bd724ecc412469
                                                                                                        • Instruction ID: 47514a02ff769d91d90cb18368b3520a1975d1198235e89ae3dfbf73f60fc0a9
                                                                                                        • Opcode Fuzzy Hash: 659c37c838df1e203522add273120eebc47cc15d55e91e5355bd724ecc412469
                                                                                                        • Instruction Fuzzy Hash: 3801D23150FA8E8FE769AA6498252EA72A1EF41310F0105BFC46AE72E5DE392D449A41
                                                                                                        Function 00007FFD9B401E7E Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 829651b9aaeda8058d5c22a8ac9b228996c9fa3d635af96ddf751a2d9c1551d5
                                                                                                        • Instruction ID: 5047af2dccd1cf71e85b0802bfdb3a288a0a11154b4185b0ff73102204accd3e
                                                                                                        • Opcode Fuzzy Hash: 829651b9aaeda8058d5c22a8ac9b228996c9fa3d635af96ddf751a2d9c1551d5
                                                                                                        • Instruction Fuzzy Hash: EA015E70A0A61D9FEBB2DBA488156A8B7F4FF09314F0501E5E49CD3162DA386F869F40
                                                                                                        Function 00007FFD9B401EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5f0f2b9c5d93db0a9fdb90ca188b5f32b18429fa5e24c14ad4b9e292e8465159
                                                                                                        • Instruction ID: f72b0d3aa259b43a4b722668c066f5896beb548bc1cf6f767724f24ad377d96f
                                                                                                        • Opcode Fuzzy Hash: 5f0f2b9c5d93db0a9fdb90ca188b5f32b18429fa5e24c14ad4b9e292e8465159
                                                                                                        • Instruction Fuzzy Hash: 77119FB090962D9FEBA1EB688855BE9B7F0AB19300F4041E6A44DE3251DA386B859F40
                                                                                                        Function 00007FFD9B400C1D Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ea88775f45540e3a7aba9e7be89e6d9d9a4e4986a02574bc0e0154df892562b1
                                                                                                        • Instruction ID: fab33aa40fe6936c9838e1f68822a0753169cb48bac09749c585a7c8566a1bcf
                                                                                                        • Opcode Fuzzy Hash: ea88775f45540e3a7aba9e7be89e6d9d9a4e4986a02574bc0e0154df892562b1
                                                                                                        • Instruction Fuzzy Hash: 0D01F53060E38A8FD75A9B7488297987BA0EF02314F0504BFC0669B2E3DA3D6848C741
                                                                                                        Function 00007FFD9B401895 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 486cf1f5807bf4c784f55935a606d1e82eb8b751e186eb149ccdc34db240a954
                                                                                                        • Instruction ID: 34388ccf56622812f00555e70e1e79b50ba9bc37b2b19046b45b721c1ef5b47c
                                                                                                        • Opcode Fuzzy Hash: 486cf1f5807bf4c784f55935a606d1e82eb8b751e186eb149ccdc34db240a954
                                                                                                        • Instruction Fuzzy Hash: B1010C3190961D8FDB69DBA4C4A43E9B2B1FF45304F1104FDD05EA76A2CB795A84DF00
                                                                                                        Function 00007FFD9B4032BD Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 69008e98e4cf3cc4ddd20e495cdf029fcbd36c218a047e7d96caf9c633e1a000
                                                                                                        • Instruction ID: 89fb06ea78eb938d5640569e449cdbfb051548202eb471434530784f6218cc3f
                                                                                                        • Opcode Fuzzy Hash: 69008e98e4cf3cc4ddd20e495cdf029fcbd36c218a047e7d96caf9c633e1a000
                                                                                                        • Instruction Fuzzy Hash: F2F09A70908A1E8FDB51DBA4845A6EDBBF0EF49315F0442BAC058A31A2C67C0A88DB80
                                                                                                        Function 00007FFD9B401CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 86f63b780b01685d96a421035b1538c90a35a9b524c9d67499cfd79d77a37765
                                                                                                        • Instruction ID: 0eb88c200dd8f9d10126d5bcdc17e3901e94aa7383974c72abba75cea5f0a5c5
                                                                                                        • Opcode Fuzzy Hash: 86f63b780b01685d96a421035b1538c90a35a9b524c9d67499cfd79d77a37765
                                                                                                        • Instruction Fuzzy Hash: 9FF0AF30D1A25A5FD7629B7888166B8B7F0AF06704F5001F8D09A931A3DA3C6E46DB51
                                                                                                        Function 00007FFD9B401DD1 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: da0986117bf97249241657b57978b8038796ab509c7810b7771b908b9cf856a8
                                                                                                        • Instruction ID: ca00b86340dc3555fcd716d9c2e2341719af0fb11746a9e6f3f4dd4a7a7b811b
                                                                                                        • Opcode Fuzzy Hash: da0986117bf97249241657b57978b8038796ab509c7810b7771b908b9cf856a8
                                                                                                        • Instruction Fuzzy Hash: 7CF0E23094A25D8FC365CB74C894AAABBF0AF02318F0641F8C4949B1A2CB389942E700
                                                                                                        Function 00007FFD9B401C27 Relevance: .0, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ad4b062de4658c245e8964780a2896bd4bbabe7748082b55a3f91d85a939c11e
                                                                                                        • Instruction ID: 5fb625f2e12e7321a3fd8be1f839b08b34fed630388b9c21ec4303a5d917fce2
                                                                                                        • Opcode Fuzzy Hash: ad4b062de4658c245e8964780a2896bd4bbabe7748082b55a3f91d85a939c11e
                                                                                                        • Instruction Fuzzy Hash: B9F0853090A26C8FE7A18A70C8943ECBBF0AF02304F1080A8D04D672A1CA791EC8DB00
                                                                                                        Function 00007FFD9B401C77 Relevance: .0, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c892267a75ac66031570a612222a4fb9bc6546a51bfaf7b941a32336d1eabaf7
                                                                                                        • Instruction ID: d94fc7c20bb09ccf6e6740a1630d331ac08c46c3a29227fa3c65ccde0b0a7ef4
                                                                                                        • Opcode Fuzzy Hash: c892267a75ac66031570a612222a4fb9bc6546a51bfaf7b941a32336d1eabaf7
                                                                                                        • Instruction Fuzzy Hash: ABF08C30D0926C8FD7619A71C8147ECB7F0AF01304F4080B8D059672E1CA795E85DF00
                                                                                                        Function 00007FFD9B404A4B Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 736e1a717f02f8b310a607bcbb1210cfb39cc9c916530a0496a030cb5ddd320e
                                                                                                        • Instruction ID: b2c7ca7112794fd8f059d4a10d3e2a1e3d6e22b5e904912a145c3de08a563552
                                                                                                        • Opcode Fuzzy Hash: 736e1a717f02f8b310a607bcbb1210cfb39cc9c916530a0496a030cb5ddd320e
                                                                                                        • Instruction Fuzzy Hash: A4E01A3060664D8FD7A4FF64C4A56B977A2EF86304F9644BCD04DCB2A2CE7A9941C741
                                                                                                        Function 00007FFD9B40192D Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 55086f8e7bba362894c75886aab4c953a65f5711a434f5a570c8d4edbe9fe538
                                                                                                        • Instruction ID: af5a70acb60a270f730a53d495c443180b2a91cf4dd9e465f9465d56b1bbdb66
                                                                                                        • Opcode Fuzzy Hash: 55086f8e7bba362894c75886aab4c953a65f5711a434f5a570c8d4edbe9fe538
                                                                                                        • Instruction Fuzzy Hash: 9CE01230A0A7598FD7AAEB2484197E8B6A1FF49310F5001FD941ECB2A6CE395E818B00
                                                                                                        Function 00007FFD9B401F6A Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b78f83c9ebefd02064ad831b6960e4faacd4943702d0a1be25e6477cd7dd26f6
                                                                                                        • Instruction ID: 325142e916f2d533ebb19493d61c9908b80a479e2059e69af6e4e9833e23ca6d
                                                                                                        • Opcode Fuzzy Hash: b78f83c9ebefd02064ad831b6960e4faacd4943702d0a1be25e6477cd7dd26f6
                                                                                                        • Instruction Fuzzy Hash: 3DD0227050B38DAFC36256B488150A8BBF0AF06204B0100E8D4999B172C53EAE42C701
                                                                                                        Function 00007FFD9B401F8D Relevance: .0, Instructions: 12COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b74ffd5029b1b4885092969ecefa1247c4ee939bbec84c871e5f11d661132383
                                                                                                        • Instruction ID: e3b543903682f02547749dabe9a1c60dfcbd45ee0d667c5f7eb4b5f1597b2ca7
                                                                                                        • Opcode Fuzzy Hash: b74ffd5029b1b4885092969ecefa1247c4ee939bbec84c871e5f11d661132383
                                                                                                        • Instruction Fuzzy Hash: A0D0127014B28D2FD39216B488155A57BF09F02214F5D14D4D9A54B0A3D5AD1D469311
                                                                                                        Function 00007FFD9B406E93 Relevance: .0, Instructions: 7COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1908541007.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                        • Instruction ID: 6a06153eb1037bfb1c5f10d8486c03f4620198983492bd4b1d5a67302a2b734b
                                                                                                        • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                        • Instruction Fuzzy Hash: F7A02202BCB02E00C00030CCB8020C8B200C382030BC22032EC0C8800A888E0AC20280

                                                                                                        Executed Functions

                                                                                                        Function 00007FFD9B3E0C58 Relevance: 12.5, Strings: 9, Instructions: 1230COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 7c$(7c$X7c$x6c$x6c$x6c$x6c$x6c$6c
                                                                                                        • API String ID: 0-4187736690
                                                                                                        • Opcode ID: 33916517583f59433e576a1e51f2a612e59fa7418bee20de95d60e3ddd68b875
                                                                                                        • Instruction ID: 8454e4696d674d1fe1cb4deb0d28001c15b9bdf592f92b28d41b07b750698308
                                                                                                        • Opcode Fuzzy Hash: 33916517583f59433e576a1e51f2a612e59fa7418bee20de95d60e3ddd68b875
                                                                                                        • Instruction Fuzzy Hash: 83B23A70A09A1D8FDBA9EF14C8A4BA9B7A1FF59304F5000FED01DD7295DA35AA81CF50
                                                                                                        Function 00007FFD9B3E4C41 Relevance: 9.1, Strings: 7, Instructions: 397COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: [c$ [c$ [c$ [c$([c$([c$[<O_^
                                                                                                        • API String ID: 0-1104336865
                                                                                                        • Opcode ID: 01d50ee020a8ed99c2101a34bb833570ff517db24880c597593983e028e33bf4
                                                                                                        • Instruction ID: c72cc62e31867f9dc033563d8cda102f738874f97d7950da2b696f378808809a
                                                                                                        • Opcode Fuzzy Hash: 01d50ee020a8ed99c2101a34bb833570ff517db24880c597593983e028e33bf4
                                                                                                        • Instruction Fuzzy Hash: 91D17331A0AA5D8FDB95EF68C4647A977F1EF49304F1101BED00DDB2A6CE786985CB40
                                                                                                        Function 00007FFD9B3E4E45 Relevance: 5.2, Strings: 4, Instructions: 175COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: [c$ [c$ [c$[<O_^
                                                                                                        • API String ID: 0-4162819642
                                                                                                        • Opcode ID: 9bcb16bc0fb30f3755cc4fe29b0d2159b29f03ad55afd723407127338914beeb
                                                                                                        • Instruction ID: 364a693f7e022033dc508bd0f4f7299212ac124b58c0454f3de071b8fb0829ea
                                                                                                        • Opcode Fuzzy Hash: 9bcb16bc0fb30f3755cc4fe29b0d2159b29f03ad55afd723407127338914beeb
                                                                                                        • Instruction Fuzzy Hash: B5515F30A0A65D8FDB55EFA8C4657A977F1EF49304F5100BED00DDB2A2CB796A81CB50
                                                                                                        Function 00007FFD9B403870 Relevance: 3.2, Strings: 2, Instructions: 650COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: c$L_H
                                                                                                        • API String ID: 0-607422331
                                                                                                        • Opcode ID: 905b67427d35d1acd5ad63fe314f20187cd1d94a36a9c8ddccffb31c5b3f6580
                                                                                                        • Instruction ID: d8c27b6da44d6f26ef7430a9e712b31f7ecfa69af05843637aa1ce1496b26994
                                                                                                        • Opcode Fuzzy Hash: 905b67427d35d1acd5ad63fe314f20187cd1d94a36a9c8ddccffb31c5b3f6580
                                                                                                        • Instruction Fuzzy Hash: 7E222621B0EB4A4FE775967888752B47BE1EF59308F1641BFC0CAC71E3DD286A429781
                                                                                                        Function 00007FFD9B3F900E Relevance: 2.0, Strings: 1, Instructions: 715COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: |R_H
                                                                                                        • API String ID: 0-716288735
                                                                                                        • Opcode ID: 547801cc74808ce6fdcfe8f0e71131cdf2240ec5650cb929ac9f53e4cea384a8
                                                                                                        • Instruction ID: aedea2629625deb42f461989ac093b1ce4e1ceb9496dec3eb3d9526b1cccdb40
                                                                                                        • Opcode Fuzzy Hash: 547801cc74808ce6fdcfe8f0e71131cdf2240ec5650cb929ac9f53e4cea384a8
                                                                                                        • Instruction Fuzzy Hash: 6442EA71B0E7CA4FF376D76484696A53FE0EF96314F0606FDC48D8B1B2DA28A9068741
                                                                                                        Function 00007FFD9B3FCAF8 Relevance: .9, Instructions: 947COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1928972165408294e611756ed0ebd4b8749ca03be715dc1739663e0a592c36c1
                                                                                                        • Instruction ID: 42696abfa10f9997fbf197fddbe4c70571da8d4c8d16b208945a0313e36f5310
                                                                                                        • Opcode Fuzzy Hash: 1928972165408294e611756ed0ebd4b8749ca03be715dc1739663e0a592c36c1
                                                                                                        • Instruction Fuzzy Hash: A1525C22B0E6494FE725AB7CE8A55F97BA1EF81314F0542FBC089C71E3DD2979468390
                                                                                                        Function 00007FFD9B3FC940 Relevance: .4, Instructions: 383COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4f64e98665ce488045d0f132874963e8186dcea0bc5231f85f2b54f4e520d594
                                                                                                        • Instruction ID: d8231287310d77b3cb4bb82f3cb444c66e85a7a63fac5f2cd8cfc55df38156fb
                                                                                                        • Opcode Fuzzy Hash: 4f64e98665ce488045d0f132874963e8186dcea0bc5231f85f2b54f4e520d594
                                                                                                        • Instruction Fuzzy Hash: 20C1A431B09A4D4FEF94EF6CC459AAA3BE1FF69351B05017EE40DD72A1CA24E941C780
                                                                                                        Function 00007FFD9B401BEE Relevance: .4, Instructions: 356COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8273134b4402b990bd93e2bff305ed6eccc290b27fe8106d04c5cb193300040f
                                                                                                        • Instruction ID: bf9f7bd8c42d51502df0f98be94ecf8eff15b3bba86496e588a95749eb3651b4
                                                                                                        • Opcode Fuzzy Hash: 8273134b4402b990bd93e2bff305ed6eccc290b27fe8106d04c5cb193300040f
                                                                                                        • Instruction Fuzzy Hash: ECD1A83061DB498FD75ADF28C050AA6BBE1FF65304F05C6AED49A872A2DE30F545CB81
                                                                                                        Function 00007FFD9B3FBB1E Relevance: .2, Instructions: 245COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dec89e28fdc6a26eec37f86e27a97e435af954813786c0c702a7b063dabc1d4e
                                                                                                        • Instruction ID: cb2ba812348bbf12c7fdbfd3e188437e44cd016d0dd84d15313a125e2b29d407
                                                                                                        • Opcode Fuzzy Hash: dec89e28fdc6a26eec37f86e27a97e435af954813786c0c702a7b063dabc1d4e
                                                                                                        • Instruction Fuzzy Hash: 71914D70E0961D8FEB68EF54C865BA9BBB1FF54300F1101BDD41DA72A2DA346A85CB41
                                                                                                        Function 00007FFD9B3E3466 Relevance: 20.4, Strings: 16, Instructions: 380COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: [c$([c$0[c$8[c$@[c$H[c$P[c$X[c$`7c$h7c$h[c$p7c$p[c$x6c$x7c$x[c
                                                                                                        • API String ID: 0-649894120
                                                                                                        • Opcode ID: eb0176c069bf6391eac225bd34279d45087b9ee696056dba2dace71d2628b2d6
                                                                                                        • Instruction ID: 340f0335090538ba90fa8e3fae303f4d7499cffc492aaae69488488e0b2ccea6
                                                                                                        • Opcode Fuzzy Hash: eb0176c069bf6391eac225bd34279d45087b9ee696056dba2dace71d2628b2d6
                                                                                                        • Instruction Fuzzy Hash: 65D17F70A19A5D9FD786EF78C864AA8B7F1EF46304F1001FAD40DDB2A6DE345982CB50
                                                                                                        Function 00007FFD9B3FCEED Relevance: 11.1, Strings: 8, Instructions: 1141COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: )$,$/$X$X$]$x$}
                                                                                                        • API String ID: 0-3461455369
                                                                                                        • Opcode ID: 151d6b3d2be6631c8c499a1923debce40df59fc179224cef7065ab4c26a27b75
                                                                                                        • Instruction ID: 33a3aa22eb6cec5e7da8e83ba1166b35061d2bc23adec709969d174a397f13ac
                                                                                                        • Opcode Fuzzy Hash: 151d6b3d2be6631c8c499a1923debce40df59fc179224cef7065ab4c26a27b75
                                                                                                        • Instruction Fuzzy Hash: 41626C21F0EA8D1FE769A77848351B93BD2EF86314B5A41BAD08EC71F7DD289D428341
                                                                                                        Function 00007FFD9B3ECFC8 Relevance: 10.7, Strings: 8, Instructions: 660COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0:c$8:c$@:c$H:c$P:c$X:c$`:c$`:c
                                                                                                        • API String ID: 0-3324031494
                                                                                                        • Opcode ID: 1fa4010ac8a2baed4e391d247eb2293ef006d64697e5c596898e2f0ab172a634
                                                                                                        • Instruction ID: 06deff0a6f8540fb97a56d984a040a8cefb3acb1a0ca41a10293c0ba782829fa
                                                                                                        • Opcode Fuzzy Hash: 1fa4010ac8a2baed4e391d247eb2293ef006d64697e5c596898e2f0ab172a634
                                                                                                        • Instruction Fuzzy Hash: F612C230B2D74D4FE769EB5C84A153ABBE1EF95700F15417DE08AC72A6DE28EC428742
                                                                                                        Function 00007FFD9B3F5A01 Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hc$Hc$Hc$X9c$`9c$`9c$M_^$kq
                                                                                                        • API String ID: 0-515453754
                                                                                                        • Opcode ID: 9f32f4334c63f823272cc0e1c19657871348b0e6497cf570c2acfab94b408345
                                                                                                        • Instruction ID: 8d5fc1c959b4b254acf93b7a7820b7aa6f9fe076626e035ff5a1fa732a53fae9
                                                                                                        • Opcode Fuzzy Hash: 9f32f4334c63f823272cc0e1c19657871348b0e6497cf570c2acfab94b408345
                                                                                                        • Instruction Fuzzy Hash: 7341122170EA4A1FF75AEA7C58606A03BD1EF96354B0601FFE048CB2A3DC199D418390
                                                                                                        Function 00007FFD9B3E634D Relevance: 9.1, Strings: 7, Instructions: 345COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (8c$08c$88c$@8c$H8c$x6c$x6c
                                                                                                        • API String ID: 0-1323376531
                                                                                                        • Opcode ID: 079f059f6850ec3b5ff6634cd2970140aa164b951237aad186dce955a6c09818
                                                                                                        • Instruction ID: 6e8cf22ce8cdc06883f44fc3dd182ba285e5dd1541ead68f78890fed5764da7e
                                                                                                        • Opcode Fuzzy Hash: 079f059f6850ec3b5ff6634cd2970140aa164b951237aad186dce955a6c09818
                                                                                                        • Instruction Fuzzy Hash: 4BC16070E0965D8FDBA9EF68C4647A877B1FF55304F5180BED00DD72A2CA356A85CB40
                                                                                                        Function 00007FFD9B3E5D3F Relevance: 7.8, Strings: 6, Instructions: 260COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 8c$x6c$x6c$x6c$x6c$6c
                                                                                                        • API String ID: 0-955908415
                                                                                                        • Opcode ID: 22e5f45cc6a22bd9ee2c6eb0278ccc14b90f5a3f9c9f1d0fdb9206c20ce7e228
                                                                                                        • Instruction ID: dd55414cee1b514f6210fa5f60753ac880ecbce5f3f74b9811e91ded53fa2b0c
                                                                                                        • Opcode Fuzzy Hash: 22e5f45cc6a22bd9ee2c6eb0278ccc14b90f5a3f9c9f1d0fdb9206c20ce7e228
                                                                                                        • Instruction Fuzzy Hash: F091A130E0960D9FDB59EFACC451AA8B7F1FF55300F5101BAD448DB2A5CA34A982CB80
                                                                                                        Function 00007FFD9B3EC860 Relevance: 7.0, Strings: 5, Instructions: 763COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 13x$2;x$3Cx$4Kx$x6c
                                                                                                        • API String ID: 0-2979034044
                                                                                                        • Opcode ID: 3a892f1b1563450829a93ca398c46152e0f7661484160c0d33a49add8bba20f5
                                                                                                        • Instruction ID: 45b77d225362913dd7f2f64192e67a9ae5d7f46a07eb0224065f2e0fea6b1f89
                                                                                                        • Opcode Fuzzy Hash: 3a892f1b1563450829a93ca398c46152e0f7661484160c0d33a49add8bba20f5
                                                                                                        • Instruction Fuzzy Hash: 9D220427B1A52A4BE725F7BDB4614FD6B91EF80372B45027BD24DCA0E3CD18658682E0
                                                                                                        Function 00007FFD9B3EDE20 Relevance: 5.5, Strings: 4, Instructions: 544COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: P9c$hc$hc$pc
                                                                                                        • API String ID: 0-2865542625
                                                                                                        • Opcode ID: 76567ee4a1ed615d2f1cf5fc23935875e4fc104f1b426f1f1ad1ea152b7ce348
                                                                                                        • Instruction ID: 2e0368c8debdb6fa81fc49681a9dcdc524c4c76a2f2f0d5d4e977efa5c84e01f
                                                                                                        • Opcode Fuzzy Hash: 76567ee4a1ed615d2f1cf5fc23935875e4fc104f1b426f1f1ad1ea152b7ce348
                                                                                                        • Instruction Fuzzy Hash: 2DF15731B1DA494FE7A9EB6C886557877E1EF99310B0101BFE08DC72E7DE24AD428781
                                                                                                        Function 00007FFD9B3E73E1 Relevance: 5.3, Strings: 4, Instructions: 324COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: [c$[c$[c$[c
                                                                                                        • API String ID: 0-3043487179
                                                                                                        • Opcode ID: 2141e4f6b70f4a1348f85edcc6d1a41725e3bca99f11a2ed23a7d5e27fb1f45c
                                                                                                        • Instruction ID: baa8d9f3170766b0e4cc22843d93d82c2fdd24e3a5459d0992e718e324c43fd6
                                                                                                        • Opcode Fuzzy Hash: 2141e4f6b70f4a1348f85edcc6d1a41725e3bca99f11a2ed23a7d5e27fb1f45c
                                                                                                        • Instruction Fuzzy Hash: 64C1F970E09A1D8FDB95EFA8C854BADB7B1FF59304F1541AAD00DE72A5CA34A981CF40
                                                                                                        Function 00007FFD9B3E8D32 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ([c$8c$8c
                                                                                                        • API String ID: 0-1978468809
                                                                                                        • Opcode ID: 29d14af49f9f87cd88e1424348bed5223eeb54afce20beb623e0b35907cffa98
                                                                                                        • Instruction ID: 6ba281de03f830ac032e1742365a8457ee10e73310204595c1b840360d5d33df
                                                                                                        • Opcode Fuzzy Hash: 29d14af49f9f87cd88e1424348bed5223eeb54afce20beb623e0b35907cffa98
                                                                                                        • Instruction Fuzzy Hash: 5E716E70E0965D8FDB95EFA8D864AE97BF1FF5A310F1001AED00DD72A2CA395942CB50
                                                                                                        Function 00007FFD9B3E80DD Relevance: 4.0, Strings: 3, Instructions: 220COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: X[c$X[c$`[c
                                                                                                        • API String ID: 0-3526788435
                                                                                                        • Opcode ID: f87584454ae3de7b1e97c83fa4a5d00e766dc63310293b58934e4cc60ad2cc02
                                                                                                        • Instruction ID: 37792707824bec8879d587c12742c406440c7623606c110fc28919144ca2c86f
                                                                                                        • Opcode Fuzzy Hash: f87584454ae3de7b1e97c83fa4a5d00e766dc63310293b58934e4cc60ad2cc02
                                                                                                        • Instruction Fuzzy Hash: 55812A70E0961D8FDB69EFA8D8647EDB6B0EF45304F5001BED009E72A2DB381A85CB51
                                                                                                        Function 00007FFD9B3E5B6A Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c$x6c$6c
                                                                                                        • API String ID: 0-3104503832
                                                                                                        • Opcode ID: ecd579af4fafc5368b61d7e26166d256a389979822cd7575879481ef449a2c1a
                                                                                                        • Instruction ID: 88bc2dbe69e80b62c0e836a30d7db06ea220bc250d8b6f88a71d4a2026ad85b2
                                                                                                        • Opcode Fuzzy Hash: ecd579af4fafc5368b61d7e26166d256a389979822cd7575879481ef449a2c1a
                                                                                                        • Instruction Fuzzy Hash: E161E33154E7898FD796DF78C864B987BF1EF86300F1501EAD048DB2A2CA795986CB50
                                                                                                        Function 00007FFD9B3EBB05 Relevance: 3.9, Strings: 3, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 89c$@9c$H9c
                                                                                                        • API String ID: 0-3228224981
                                                                                                        • Opcode ID: 51a76389eba954c125aff5ca3c1f592099f4bd5d16fdde3d3679d33456be251d
                                                                                                        • Instruction ID: 1b3467802b5ac1bec57a51b1cf7eaf1741fb28ced63174fe0df6a42cd290ecf1
                                                                                                        • Opcode Fuzzy Hash: 51a76389eba954c125aff5ca3c1f592099f4bd5d16fdde3d3679d33456be251d
                                                                                                        • Instruction Fuzzy Hash: 40411871A0EA4E8FE756EBB888656D4BBE1FF55310F0402BAD15CC71E3ED282941C741
                                                                                                        Function 00007FFD9B3EDE79 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: hc$pc
                                                                                                        • API String ID: 0-406211753
                                                                                                        • Opcode ID: 756b9e17b6d0b7dcd8e539dac2f4ff7e7824f038adbf92fa217a13ae5b33bdf9
                                                                                                        • Instruction ID: e5ce602f831b923a62984d7429b1a287b71a6c12129121f3fe29049d9c857b80
                                                                                                        • Opcode Fuzzy Hash: 756b9e17b6d0b7dcd8e539dac2f4ff7e7824f038adbf92fa217a13ae5b33bdf9
                                                                                                        • Instruction Fuzzy Hash: BB913431B1DA490FE799EB6C886596437E1EFA5310B0501BFE089C72A7EE24EC428781
                                                                                                        Function 00007FFD9B3ECCC0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hc$Pc
                                                                                                        • API String ID: 0-3487767557
                                                                                                        • Opcode ID: f4593da414b75648508b7c374dbd70c58c0d1ee021df5b1ee1225210f4047015
                                                                                                        • Instruction ID: 937d4cfd253d56c75ccf4902d9bc6132f4c75e6a1f3bda6da1851e3816ff8281
                                                                                                        • Opcode Fuzzy Hash: f4593da414b75648508b7c374dbd70c58c0d1ee021df5b1ee1225210f4047015
                                                                                                        • Instruction Fuzzy Hash: 74B1B371F18A4D4FEBA4EBA894657ECB7E1FFA4310F4442BAD01DD32D6DE2468418B41
                                                                                                        Function 00007FFD9B3ED469 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hc$Pc
                                                                                                        • API String ID: 0-3487767557
                                                                                                        • Opcode ID: 68b7180bcb76bb6020e9219bbfcea4e6c849076b582b49d471d8cda96386cb75
                                                                                                        • Instruction ID: fa23742bfc6991b1a221c020ab1bc8c71f3176f46768ce09ee572e0b45b3630d
                                                                                                        • Opcode Fuzzy Hash: 68b7180bcb76bb6020e9219bbfcea4e6c849076b582b49d471d8cda96386cb75
                                                                                                        • Instruction Fuzzy Hash: D7A1A671F18A4D4FEB94EB9898657ECB7B1FFA8310F5442BAD01CD32E6DE2468418B41
                                                                                                        Function 00007FFD9B3FFA29 Relevance: 2.8, Strings: 2, Instructions: 269COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: BM_H$c
                                                                                                        • API String ID: 0-3665363637
                                                                                                        • Opcode ID: 2969f67b2b264e3365c4a91ac1b347d419c4d14fa5d0e3b6a8f7c7c3f3a4aeba
                                                                                                        • Instruction ID: dfbc52b95cfbcab503bd0cf6e315d1dbb8eb03225f2be8bf8896776eaf4d4037
                                                                                                        • Opcode Fuzzy Hash: 2969f67b2b264e3365c4a91ac1b347d419c4d14fa5d0e3b6a8f7c7c3f3a4aeba
                                                                                                        • Instruction Fuzzy Hash: 1481E971B0AA9D4FEB95EFA8C4646A97BE1FF59300F0501BAD409D72A6DE34AD01C740
                                                                                                        Function 00007FFD9B3ED76E Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Pc$Pc
                                                                                                        • API String ID: 0-1050856166
                                                                                                        • Opcode ID: d0f20d55ca49ba4728d7417c181fbbc78d27f4defbf6ff0b0b12856b821eca4d
                                                                                                        • Instruction ID: 6bc117908eeece83e6d1fcf7b6edac5c48e1216a222dc2d3bf7b86297bdfd2ad
                                                                                                        • Opcode Fuzzy Hash: d0f20d55ca49ba4728d7417c181fbbc78d27f4defbf6ff0b0b12856b821eca4d
                                                                                                        • Instruction Fuzzy Hash: 77612832A0EA4D4FE76AEB6C98616B877E1EF85350B0101BFD049CB1E6DD297D42C391
                                                                                                        Function 00007FFD9B3E81AE Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `[c$`[c
                                                                                                        • API String ID: 0-3103413784
                                                                                                        • Opcode ID: 7d40958700587ac9263d9427604044ca8ed7ee1450c7bfd2296107806e2697ed
                                                                                                        • Instruction ID: bed5c685a5da68284a9f74dc97136c432be9357e907d827db05a55ff45ba2232
                                                                                                        • Opcode Fuzzy Hash: 7d40958700587ac9263d9427604044ca8ed7ee1450c7bfd2296107806e2697ed
                                                                                                        • Instruction Fuzzy Hash: D841FA70D19A1D8FDB59EFA8C864BA876F1EF55305F5000AED00EE72A2DB381A85CB51
                                                                                                        Function 00007FFD9B3E5201 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `\c$7c
                                                                                                        • API String ID: 0-494252369
                                                                                                        • Opcode ID: 13c495a75d2bab644437b5b918a8701e1814b5c268910b3f50cca4744dab0020
                                                                                                        • Instruction ID: ae86a8c0fdb5df7758953a9c708d0a7cce91774d2eb682121a5a0ee168a53fd5
                                                                                                        • Opcode Fuzzy Hash: 13c495a75d2bab644437b5b918a8701e1814b5c268910b3f50cca4744dab0020
                                                                                                        • Instruction Fuzzy Hash: D6217C30D09A5D8FDB85EFA8D8616EDBBF0FF59300F0500AAD408E7295CA34A941CB91
                                                                                                        Function 00007FFD9B3E5220 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `\c$7c
                                                                                                        • API String ID: 0-494252369
                                                                                                        • Opcode ID: b8bf79901e391813321ee87a8c245dcc2ede1bfcfe31c99dffd90451442d28d1
                                                                                                        • Instruction ID: e9708f76a4f2cb03b7233e5a12bbc000066c6eace0e0ced14ec0bd06ddde4edf
                                                                                                        • Opcode Fuzzy Hash: b8bf79901e391813321ee87a8c245dcc2ede1bfcfe31c99dffd90451442d28d1
                                                                                                        • Instruction Fuzzy Hash: CC213930E08A1D9FDF85EFA8D855AEDBBF1FF59300F00006AE409E3295CA75A941CB91
                                                                                                        Function 00007FFD9B3FD304 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: dM_H
                                                                                                        • API String ID: 0-2825267682
                                                                                                        • Opcode ID: 60600d135dde47c7f9ebaf767bb310d0d2e08cc195ba1a2a166d94ab1521986a
                                                                                                        • Instruction ID: 6c828e326bae5e0289fffcf64313da4eaaaa9bf7e7d1cf824bc2794b168c564f
                                                                                                        • Opcode Fuzzy Hash: 60600d135dde47c7f9ebaf767bb310d0d2e08cc195ba1a2a166d94ab1521986a
                                                                                                        • Instruction Fuzzy Hash: A602F630B0DA494FEB69EB28C4546B97BE1FF95300F05426ED48EC72A6DE34E846C781
                                                                                                        Function 00007FFD9B3F3B18 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: d
                                                                                                        • API String ID: 0-2564639436
                                                                                                        • Opcode ID: af77210c848e6ce3699d4954a489aa0647457c8a7234d0c1830239923b707c99
                                                                                                        • Instruction ID: 56e6df5b93ba679ae77253099f222b79a667a919c211614210cfc37eba6d2feb
                                                                                                        • Opcode Fuzzy Hash: af77210c848e6ce3699d4954a489aa0647457c8a7234d0c1830239923b707c99
                                                                                                        • Instruction Fuzzy Hash: FED12230B1CB494FE728EB5CD4915B5BBE1FF95314B1446BED08AC32A6DA35F8428B81
                                                                                                        Function 00007FFD9B3FFDEE Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `
                                                                                                        • API String ID: 0-984634396
                                                                                                        • Opcode ID: 6b58907a553660b2141338ca65859871a773380fb92f851c4ac48a062d4b5248
                                                                                                        • Instruction ID: 577fb5c581bea0f0e8df5ff68f1ea4e0d7d2075a809a64bc4035a9fc7df86728
                                                                                                        • Opcode Fuzzy Hash: 6b58907a553660b2141338ca65859871a773380fb92f851c4ac48a062d4b5248
                                                                                                        • Instruction Fuzzy Hash: 45D12972B0EA4E4FFBA5DB6C94A16B437D2EF99744B0500B9E44CC72E3DE25A902C340
                                                                                                        Function 00007FFD9B3F447A Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: d
                                                                                                        • API String ID: 0-2564639436
                                                                                                        • Opcode ID: 9c86b245ee446d27aeeadcb9835520157e3f17d24623c8f58fee7d640ee6ab60
                                                                                                        • Instruction ID: d37d11c874474995b6c04fa729824b4c660cc39e703b5995797aa8d14450f735
                                                                                                        • Opcode Fuzzy Hash: 9c86b245ee446d27aeeadcb9835520157e3f17d24623c8f58fee7d640ee6ab60
                                                                                                        • Instruction Fuzzy Hash: 74C14230B1DB8A4FE769EB5D8460535BBE1FF95300B1505BED08AC72A6DA35F8428781
                                                                                                        Function 00007FFD9B3E86DA Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: f9ccd740f516d5b89b48b53032614edad005045b2d93b338939366d631282cad
                                                                                                        • Instruction ID: 55033f07b32b93bd61f3f005d7a7e8d7255c93c7bea4b04957d7dd7f675893da
                                                                                                        • Opcode Fuzzy Hash: f9ccd740f516d5b89b48b53032614edad005045b2d93b338939366d631282cad
                                                                                                        • Instruction Fuzzy Hash: 4CB1D431E0A65D4FE7A5EBA8D8647E877E1EF46310F0502BED04DD71A2DA386946CB40
                                                                                                        Function 00007FFD9B3F03C5 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: d
                                                                                                        • API String ID: 0-2564639436
                                                                                                        • Opcode ID: 6e431d21845a181569bd73e667837af45167eafea8115af7b928cc085cbee50b
                                                                                                        • Instruction ID: 5a98ee1c710c08c914c06a1bb1836f02fe8a6184d9c35a6ab180c820275f7130
                                                                                                        • Opcode Fuzzy Hash: 6e431d21845a181569bd73e667837af45167eafea8115af7b928cc085cbee50b
                                                                                                        • Instruction Fuzzy Hash: A4B1DE70B1CB098FE768EF4CD4A1535B7E1FF98700B14497DD49A836A6DA35F8428B81
                                                                                                        Function 00007FFD9B3E3FCD Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: 8c04c39e3424d9719b5b8d33a352d701a74cdf837fdf093d5728e47339d1c824
                                                                                                        • Instruction ID: 35edf4780abd2dfa826a24feaf4e462b108aecf421c928d3c74af54b2e3f2768
                                                                                                        • Opcode Fuzzy Hash: 8c04c39e3424d9719b5b8d33a352d701a74cdf837fdf093d5728e47339d1c824
                                                                                                        • Instruction Fuzzy Hash: 23A10731E0A65D8FEB65EBA484216ECBBE0EF5A310F45027FD04DD71E1DA386A46CB40
                                                                                                        Function 00007FFD9B3F3C20 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: c
                                                                                                        • API String ID: 0-936883442
                                                                                                        • Opcode ID: ec29c41cbc6907b808226ce551afcb53a4447cde1f71e452bb7cebb9c82354b4
                                                                                                        • Instruction ID: 1d19c15c9c8faef259d2e9a4626b8539909fb5f07384fe8bad16745bd2b7e960
                                                                                                        • Opcode Fuzzy Hash: ec29c41cbc6907b808226ce551afcb53a4447cde1f71e452bb7cebb9c82354b4
                                                                                                        • Instruction Fuzzy Hash: 8F91673071DB894FE769EF6994955B67BE0EF95310F10067ED48AC32A2EE34F8428781
                                                                                                        Function 00007FFD9B3EA0A0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 'T_L
                                                                                                        • API String ID: 0-895320791
                                                                                                        • Opcode ID: bb341495021cb01f160450e24e32e85f7254956a936ebc447f4e6e7768e393a4
                                                                                                        • Instruction ID: 0401397aded94eeb90c3bc58bbf03eecb37692319beb816ba3763e16d09bcd3d
                                                                                                        • Opcode Fuzzy Hash: bb341495021cb01f160450e24e32e85f7254956a936ebc447f4e6e7768e393a4
                                                                                                        • Instruction Fuzzy Hash: 0A713831B1DE0E4FEBA8EA6C946567837D2EF9835075501BEE40DC72E2DD24AD428381
                                                                                                        Function 00007FFD9B3EC6E0 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hc
                                                                                                        • API String ID: 0-886640636
                                                                                                        • Opcode ID: 8d2f6a23fb19c4f83d73a2066161fb6fb02a073d70d10fea37cee78161ffaea4
                                                                                                        • Instruction ID: f5815b7cf02d63a37827485ab7eeecb885c5aa29e0bbd7e9ac5d70f88e8324ba
                                                                                                        • Opcode Fuzzy Hash: 8d2f6a23fb19c4f83d73a2066161fb6fb02a073d70d10fea37cee78161ffaea4
                                                                                                        • Instruction Fuzzy Hash: B8710331B1AA494FFBB9EB6884685757BD1FF59300B11057EE08EC32A6DE28BC418741
                                                                                                        Function 00007FFD9B3E8A55 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: c0220781bd1870332292a9e5f6fd0fc2e128fe89ff53aa061b0ad2746403ecea
                                                                                                        • Instruction ID: 65e8c7efdd99fd7ea27e5247da1aaf7a7c308983663095e15ce9607975a3be5f
                                                                                                        • Opcode Fuzzy Hash: c0220781bd1870332292a9e5f6fd0fc2e128fe89ff53aa061b0ad2746403ecea
                                                                                                        • Instruction Fuzzy Hash: 9C71C570E0A64D9FDB55EBA8D4616E9BBF0EF46314F05017FD00DDB2A2CA395982C750
                                                                                                        Function 00007FFD9B3F549D Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @c
                                                                                                        • API String ID: 0-3879474249
                                                                                                        • Opcode ID: a4f8591c8831dfc329ad058a7d749495c27cccae3ebab7c95ce951b5e4812faa
                                                                                                        • Instruction ID: 66a9b7325b7632611dcedf4cff8c2dbc39ef9cb7636de0ea07802027611665ac
                                                                                                        • Opcode Fuzzy Hash: a4f8591c8831dfc329ad058a7d749495c27cccae3ebab7c95ce951b5e4812faa
                                                                                                        • Instruction Fuzzy Hash: 6A51082270EA4E0FF769E65CA8616B47BD1EF4636170601BBD44EC71A3DD19ED428340
                                                                                                        Function 00007FFD9B3ED0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ^N_^
                                                                                                        • API String ID: 0-3244440111
                                                                                                        • Opcode ID: 605bfea4f42831c04360c412904fc7f64b677022bb1fd780ef561c9fec4c7cc4
                                                                                                        • Instruction ID: d037b51c2cbdf7ab0f510887477980c4ce445a62a545c1f56159974fadf47a8d
                                                                                                        • Opcode Fuzzy Hash: 605bfea4f42831c04360c412904fc7f64b677022bb1fd780ef561c9fec4c7cc4
                                                                                                        • Instruction Fuzzy Hash: 2F51B422A1D7A54FD342B778A4761D83FB1EF4223170942F7C189CF0E7E9582886C792
                                                                                                        Function 00007FFD9B3E778E Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (8c
                                                                                                        • API String ID: 0-2529978249
                                                                                                        • Opcode ID: fa1571cabb6d55fa682084c3b38f009ba0a5e8f758ba7b88b4710e9501c06202
                                                                                                        • Instruction ID: 0b5cd474cfdde7ef44ccf4638853db40f68b9cf35f1054e50102ff3bd1c6e91c
                                                                                                        • Opcode Fuzzy Hash: fa1571cabb6d55fa682084c3b38f009ba0a5e8f758ba7b88b4710e9501c06202
                                                                                                        • Instruction Fuzzy Hash: 72511D31A0EA8D4FDB52EB7888259E57BF1EF56310B0901FBD048D71A3DD2CA946C751
                                                                                                        Function 00007FFD9B3E05A0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: 6dae5cbacc54a5abf9c43dd879eea5e9cfa4e3576bad980fd3920b0aafa91869
                                                                                                        • Instruction ID: f62d0872c85bf184d442f2a01da2fe7acd1d4fae6bb04a3ca1dddcaa900e60ae
                                                                                                        • Opcode Fuzzy Hash: 6dae5cbacc54a5abf9c43dd879eea5e9cfa4e3576bad980fd3920b0aafa91869
                                                                                                        • Instruction Fuzzy Hash: 53514930E0A61D8FDB69EBA8C4616FDB7B1EF89300F51007EE009E72A1CE386945CB40
                                                                                                        Function 00007FFD9B3E8AA5 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: a999224e60c92da09c3607246b0608990d5db143dea29654d5f556c9ffefc47d
                                                                                                        • Instruction ID: 3136cd82495b14d3dbb7f6a309f8bf829f83ddb4d7957f9f99746913aae5d03b
                                                                                                        • Opcode Fuzzy Hash: a999224e60c92da09c3607246b0608990d5db143dea29654d5f556c9ffefc47d
                                                                                                        • Instruction Fuzzy Hash: B051E370E0A69D9FDB56DBA8D8616E97BF0EF46314F0501BFD049DB2E2CA381982C750
                                                                                                        Function 00007FFD9B3FF011 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: c
                                                                                                        • API String ID: 0-1422850941
                                                                                                        • Opcode ID: 58e4e1b24788268ba72b2e34e90a5770b2eca6a9e80de589a31491b832ead043
                                                                                                        • Instruction ID: 6d30007dbe92aa4c9d21bf674e5024e5054765e58e77eda2e16ffb4960cc9e45
                                                                                                        • Opcode Fuzzy Hash: 58e4e1b24788268ba72b2e34e90a5770b2eca6a9e80de589a31491b832ead043
                                                                                                        • Instruction Fuzzy Hash: 7B41143070EA4E0FE799EB6C8824A757BD1EF99314B4501BEE44DC72E7DD18AC428341
                                                                                                        Function 00007FFD9B3E3C3D Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: 2620053bf7cd07c043cb6b90de28c56ae48022267fffbb734da9a0290c8dc466
                                                                                                        • Instruction ID: 91f9a2dcf7426530ec0eeb0ed79ed01c6abbc3b265c7d9f8f5d66213c3169cdc
                                                                                                        • Opcode Fuzzy Hash: 2620053bf7cd07c043cb6b90de28c56ae48022267fffbb734da9a0290c8dc466
                                                                                                        • Instruction Fuzzy Hash: 4E418B31E09A5D8FDB59EBA8C8656ADB7F1FF59300F01017AD009D72A1CB386945CB40
                                                                                                        Function 00007FFD9B3E38E1 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `\c
                                                                                                        • API String ID: 0-427113989
                                                                                                        • Opcode ID: 316de017796f9530ea127f9acf2a182d15512debb4bd8a0fdd3dfeb910ebe9db
                                                                                                        • Instruction ID: 9abf03a0c684879c3c642df22cf10e52445a0b1f4c2e07068a8abe356ee9950c
                                                                                                        • Opcode Fuzzy Hash: 316de017796f9530ea127f9acf2a182d15512debb4bd8a0fdd3dfeb910ebe9db
                                                                                                        • Instruction Fuzzy Hash: 5441A831E09A4D9FDB46EFA8C450AE9BBF1FF56311F1501ABD008DB2A2DB389941CB50
                                                                                                        Function 00007FFD9B3E7130 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: 3948ce789c940736075ab0f6fa4d5af1c8777dcaf8fe6b111a7ac0969ae79c27
                                                                                                        • Instruction ID: e98d38f7d9d5211d6a4d450693823c7f863e011395d1308e04300d314fb119fc
                                                                                                        • Opcode Fuzzy Hash: 3948ce789c940736075ab0f6fa4d5af1c8777dcaf8fe6b111a7ac0969ae79c27
                                                                                                        • Instruction Fuzzy Hash: 2331D331B1DA0D8FDB68EA6C986957D77E1EFD9311B0101BFE449C72A6DE20AC0286C1
                                                                                                        Function 00007FFD9B3E84C1 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x6c
                                                                                                        • API String ID: 0-628281631
                                                                                                        • Opcode ID: f7ab80fc9ac400854554e6aeaa0b2f33254649a072728c10aaeaa4c22de83c00
                                                                                                        • Instruction ID: ec4e0e9222592422e8627bb60b24448daae40a1f61e93b331115e304a169b39b
                                                                                                        • Opcode Fuzzy Hash: f7ab80fc9ac400854554e6aeaa0b2f33254649a072728c10aaeaa4c22de83c00
                                                                                                        • Instruction Fuzzy Hash: 3841A171E09A4D8FDB55EBA8C4656A9BBF1FF59300F5101BBD009D72A2DF386942CB40
                                                                                                        Function 00007FFD9B3F2D58 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: c
                                                                                                        • API String ID: 0-936883442
                                                                                                        • Opcode ID: 5917e7785d3bdc0621610a9e805ae379440e79ac393c3f216fe4c9c535af19de
                                                                                                        • Instruction ID: 7210a48714b267c3cd7cb5d3717050c9f67ab720a9765e90c91d1ff47ef8abdb
                                                                                                        • Opcode Fuzzy Hash: 5917e7785d3bdc0621610a9e805ae379440e79ac393c3f216fe4c9c535af19de
                                                                                                        • Instruction Fuzzy Hash: 05019230A09B494FE7A5EB288458A6A7BE1EFD5314F04497FE88DC7271DE34AA41C741
                                                                                                        Function 00007FFD9B3FEE10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: xc
                                                                                                        • API String ID: 0-2970901633
                                                                                                        • Opcode ID: dc7e0ba6e8a8580585bf575b07307492ddc30d661a73182d4d50b856499f8d0e
                                                                                                        • Instruction ID: 9518d5aae4181816e52e7e7de0705998bcbc7673564c18517233795dfdf89dd3
                                                                                                        • Opcode Fuzzy Hash: dc7e0ba6e8a8580585bf575b07307492ddc30d661a73182d4d50b856499f8d0e
                                                                                                        • Instruction Fuzzy Hash: 52E0CD3070A64A4FEF47FBBD494058037D0EF5A344B8500E5D84DCF161E54D9695C351
                                                                                                        Function 00007FFD9B3FE38B Relevance: 1.0, Instructions: 972COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e3dbfa84bef2dc915ae9635207b2dcf76271de148854c00f18fe84273412122a
                                                                                                        • Instruction ID: 5c8aadaed17a222f17a799c9dd37338396ae2195915c4bb049750af7aab9d34f
                                                                                                        • Opcode Fuzzy Hash: e3dbfa84bef2dc915ae9635207b2dcf76271de148854c00f18fe84273412122a
                                                                                                        • Instruction Fuzzy Hash: 6502F431B1EA5D4FEBA5FB6884A4AA43BD1EF59300B0541FED84DCB1A7DD28AD45C340
                                                                                                        Function 00007FFD9B400EA1 Relevance: .5, Instructions: 529COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 29c24c749122137e321366089d5eff63b3d966a25ed7ff139bfaaedd829044f3
                                                                                                        • Instruction ID: 1c52323681b063e53a92a9a61773db71ff59fe5601745ed808f40f612c0aa3ae
                                                                                                        • Opcode Fuzzy Hash: 29c24c749122137e321366089d5eff63b3d966a25ed7ff139bfaaedd829044f3
                                                                                                        • Instruction Fuzzy Hash: 07E13B31B1E94D4FEBA8EB6CC866AB537D1EF55344B0501BEE48EC72A7DD14AC428381
                                                                                                        Function 00007FFD9B3EA7D3 Relevance: .5, Instructions: 498COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a08b95e8f379eecf1de2b7e0581dca0d598121b6135d1b22982a2eac6a939ff7
                                                                                                        • Instruction ID: 5b748fdc64e028f6b94d7bdc9e25ff21bdbcd1729b0a7836964221004246579c
                                                                                                        • Opcode Fuzzy Hash: a08b95e8f379eecf1de2b7e0581dca0d598121b6135d1b22982a2eac6a939ff7
                                                                                                        • Instruction Fuzzy Hash: 99E14B12B2FA9E0BE726B7EC68715F87F61EF4167070902FFD199860E7DC08654A8391
                                                                                                        Function 00007FFD9B3F71ED Relevance: .5, Instructions: 487COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 73a135324bb2cc772e573eaa01e098847b7c6e69580c5295a7eab467d84f97f0
                                                                                                        • Instruction ID: 370ea0c770770ce95e495f2a5b23c888f0b083936581ba8dbb07faff620fdec7
                                                                                                        • Opcode Fuzzy Hash: 73a135324bb2cc772e573eaa01e098847b7c6e69580c5295a7eab467d84f97f0
                                                                                                        • Instruction Fuzzy Hash: CAF1F570B1DB4D8FEB68EB2C8465665B7D2FF98340F10457EE48DC72A6DE34A8028742
                                                                                                        Function 00007FFD9B3ED9E9 Relevance: .4, Instructions: 439COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7cde0c3102a2c9b8e11865b9f258aeb3ec5a7be887fa8aa63acc9d1c2548ca92
                                                                                                        • Instruction ID: c462dc587d10282bec1ffe6b7fa11b6459d4cc7ef8d44fe76b82e4a52cb3b492
                                                                                                        • Opcode Fuzzy Hash: 7cde0c3102a2c9b8e11865b9f258aeb3ec5a7be887fa8aa63acc9d1c2548ca92
                                                                                                        • Instruction Fuzzy Hash: 7FD1533170DB4D4FDB68EB58D851AA5B7E1EFA5310F05027FD08DC72A2DE22A846C782
                                                                                                        Function 00007FFD9B400291 Relevance: .4, Instructions: 436COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 995bce874b733c3d6e3d7bbc424cc1247112e2ae0730c500ef4737f929e110ec
                                                                                                        • Instruction ID: 8f227fcbdb7a8db3892b742903fdb6d6bbcac50105422ec457d7299c0736f54f
                                                                                                        • Opcode Fuzzy Hash: 995bce874b733c3d6e3d7bbc424cc1247112e2ae0730c500ef4737f929e110ec
                                                                                                        • Instruction Fuzzy Hash: A7D12B31B1E98E4FEB95DB6CC8B16A877D2EF95714B0501BAE48DC32E6DD246C02C381
                                                                                                        Function 00007FFD9B3EAB08 Relevance: .4, Instructions: 413COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6955f9bf215fdddd8d0314b5fec56673a2c490a6a5629dbea6c2856a66502cd4
                                                                                                        • Instruction ID: 6e8bc4863fd436b6f1fab5f62f76368af38daefd90952658e5db39dc31777765
                                                                                                        • Opcode Fuzzy Hash: 6955f9bf215fdddd8d0314b5fec56673a2c490a6a5629dbea6c2856a66502cd4
                                                                                                        • Instruction Fuzzy Hash: 1EC1D421B0EA4E4FEBAAEB6C44A967477D1EF55210B0601BFD44DC72E3EE28BD058741
                                                                                                        Function 00007FFD9B3FC9D0 Relevance: .4, Instructions: 390COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b8f04e6617d31796824d8d734d0c9bf1f9abe69c09256bb361d794406ea81ea7
                                                                                                        • Instruction ID: ab6fb4cd90fc518586874080abf6d821681569f89435859eef81858ed44c5b20
                                                                                                        • Opcode Fuzzy Hash: b8f04e6617d31796824d8d734d0c9bf1f9abe69c09256bb361d794406ea81ea7
                                                                                                        • Instruction Fuzzy Hash: 5DD18130A19A4D8FEF94EF68C465AE977E2FF58308F050179E48DD72A1DA34E941CB81
                                                                                                        Function 00007FFD9B3EB900 Relevance: .4, Instructions: 362COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e9924eb976b6f3d49ac886d412c35cfb3998ecd9990eb08b14865dbe0e173b02
                                                                                                        • Instruction ID: 9bb0fe3d0055551e4f33c7794870208a2db7f0d5ff12dc0494b5d5316fb71df4
                                                                                                        • Opcode Fuzzy Hash: e9924eb976b6f3d49ac886d412c35cfb3998ecd9990eb08b14865dbe0e173b02
                                                                                                        • Instruction Fuzzy Hash: 9DB13831B0EA490FDBA5EBACD860AB577E1EF99314B0542FEC48DC71E7D918A846C341
                                                                                                        Function 00007FFD9B3FC9C0 Relevance: .4, Instructions: 353COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4d5ff22ced0e0b4ace0174d0ddb269ed6e16ebd6368eb52ebad2903a5588ebe
                                                                                                        • Instruction ID: f39d636c7bedf78b233651bf14d069ae5358c6a26d1b34f517d3e432e1b4e214
                                                                                                        • Opcode Fuzzy Hash: f4d5ff22ced0e0b4ace0174d0ddb269ed6e16ebd6368eb52ebad2903a5588ebe
                                                                                                        • Instruction Fuzzy Hash: 8CA1E531B1DB0C4FEB68DB5CD8566B977D1FF99314F04017EE48AC32A1DA25B9428782
                                                                                                        Function 00007FFD9B3FCEFD Relevance: .3, Instructions: 348COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a04ff638c5e462b3a511da5aab61a5473e1fd7fa716ede30bd99e4a08055663
                                                                                                        • Instruction ID: bce7dde49603e494be9c4ef1c9450f8a38943ab1cdcd200738fd3fc3052d3a92
                                                                                                        • Opcode Fuzzy Hash: 0a04ff638c5e462b3a511da5aab61a5473e1fd7fa716ede30bd99e4a08055663
                                                                                                        • Instruction Fuzzy Hash: EFB16931B0EB4E4FF734AEA8C4A02B977D1EF45308F1645BAD48EC31E2DD296A45A345
                                                                                                        Function 00007FFD9B3F3BF8 Relevance: .3, Instructions: 331COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3da2b428e98694e081413a609e8d9f118975a2e9b846497e2f9f4d0c76d61e94
                                                                                                        • Instruction ID: 80abecc74a6e98a751e19768c61638623a38dc390e7b05c5bff57948b95e8de6
                                                                                                        • Opcode Fuzzy Hash: 3da2b428e98694e081413a609e8d9f118975a2e9b846497e2f9f4d0c76d61e94
                                                                                                        • Instruction Fuzzy Hash: 86A1023071DA0A8FEB69EB6CC4A0A7177E1EF5531071606BDD08EC76A6DA35F846C780
                                                                                                        Function 00007FFD9B3F5B70 Relevance: .3, Instructions: 315COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 26f4db549953b72bb89a4191c4ad3c9fb582ced70324557f615072751d9b58c6
                                                                                                        • Instruction ID: 8fb5f3e66d9badbc58f6ab02c2f02d61bac3d6a0830af97dd654cec002f970ff
                                                                                                        • Opcode Fuzzy Hash: 26f4db549953b72bb89a4191c4ad3c9fb582ced70324557f615072751d9b58c6
                                                                                                        • Instruction Fuzzy Hash: D371E252B0FD1E4FF6B5E59C14792741BC1EFA9691B2301BBE48EC76A5EE18AD060380
                                                                                                        Function 00007FFD9B3F4894 Relevance: .3, Instructions: 305COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 971d30d54a194cf769fec0fe807ae775dabd1dfe0cdd622f81d3a6d795a4a348
                                                                                                        • Instruction ID: 6ef2cc8799fce4292a27e75c233a7ee95563b8007f9d8559e67870d56bf9bb19
                                                                                                        • Opcode Fuzzy Hash: 971d30d54a194cf769fec0fe807ae775dabd1dfe0cdd622f81d3a6d795a4a348
                                                                                                        • Instruction Fuzzy Hash: 61913630B1DB4A4FE768EF6D94955B677E0FF95310B10067DD09AC31A6EE24F8428740
                                                                                                        Function 00007FFD9B3EEA20 Relevance: .3, Instructions: 291COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8659804e0032a725f690e1531c4e5a1d6297735bca9e68a9cfcea28e8bb1312a
                                                                                                        • Instruction ID: 234915fd638387139d6d03454085311b4dcd235ed24b1939488c495a0dfadd47
                                                                                                        • Opcode Fuzzy Hash: 8659804e0032a725f690e1531c4e5a1d6297735bca9e68a9cfcea28e8bb1312a
                                                                                                        • Instruction Fuzzy Hash: C7814622B0FA8E0FF766966C98742753BE1EF9665471A02FBD0C8C72E3DC185D068341
                                                                                                        Function 00007FFD9B3E7DB9 Relevance: .3, Instructions: 285COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 59c898deb8e93833404a8bf24c1eef9b62e5622d0f2376b0fbbd9d627a2c55e1
                                                                                                        • Instruction ID: b546738881b2873a33b435c8b4bcaf084fd9ec41228f213c310599cc27d6bf2f
                                                                                                        • Opcode Fuzzy Hash: 59c898deb8e93833404a8bf24c1eef9b62e5622d0f2376b0fbbd9d627a2c55e1
                                                                                                        • Instruction Fuzzy Hash: D291D571E1AA4E8FEBA4EFA8C8656ADB7A1FF54300F01057EE059D72D6DE386D018740
                                                                                                        Function 00007FFD9B3EA015 Relevance: .3, Instructions: 278COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ff9aeb9f83d961404d48a2d4bb686c759cd9d7fc84c085dad69a36f26dbdfa4a
                                                                                                        • Instruction ID: 5ade2fad4d24bb2e58ec23a7c17585aaa378ef8f9b4adecf9e41b90b28121d49
                                                                                                        • Opcode Fuzzy Hash: ff9aeb9f83d961404d48a2d4bb686c759cd9d7fc84c085dad69a36f26dbdfa4a
                                                                                                        • Instruction Fuzzy Hash: 8491F731B1DE8A8FF768EB188465A65B7E1FFA4390F01457ED04EC31A1DE38B9468741
                                                                                                        Function 00007FFD9B3E4610 Relevance: .3, Instructions: 260COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7f099b911e44a40354835f02aa102e4b5a214c0ba59e5f2f1aa1496a7325074c
                                                                                                        • Instruction ID: 367c720de9bb955adcf118ee50ddd8b43234db9290d1c2137bf2388e5f5d577b
                                                                                                        • Opcode Fuzzy Hash: 7f099b911e44a40354835f02aa102e4b5a214c0ba59e5f2f1aa1496a7325074c
                                                                                                        • Instruction Fuzzy Hash: A4916E71A18A4E8FDB94EF68C854BA9B7F1FF58304F11427AD41DD72A6DB34A842CB40
                                                                                                        Function 00007FFD9B3FCDF8 Relevance: .2, Instructions: 249COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4ec98af16683894dfd98e2528ce3a0b06544c06f20698e267c4b6e5ef58f8535
                                                                                                        • Instruction ID: 4aaa64c3c296eab58e843643b0463386013fc2126a1bc1304392b19c117812c1
                                                                                                        • Opcode Fuzzy Hash: 4ec98af16683894dfd98e2528ce3a0b06544c06f20698e267c4b6e5ef58f8535
                                                                                                        • Instruction Fuzzy Hash: 0B715730A0EB494FDB68DA6CC4A96B1B3E0FF55314F15017ED48A872A2DE28B946C781
                                                                                                        Function 00007FFD9B3F2615 Relevance: .2, Instructions: 248COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 12c6207fd21666ddd35b7ee8a6276b37af603db44e12afd62e58918c1537f900
                                                                                                        • Instruction ID: 7b654b3775ee691cbe8fa096778f6061d628b56d5729804a99a3d89dd94aab7b
                                                                                                        • Opcode Fuzzy Hash: 12c6207fd21666ddd35b7ee8a6276b37af603db44e12afd62e58918c1537f900
                                                                                                        • Instruction Fuzzy Hash: 98614822B1E69A4BE755FBECA8719F93FA1EF50324B0442BBE09DC70D7CD5464868381
                                                                                                        Function 00007FFD9B3FDC05 Relevance: .2, Instructions: 231COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8c0f219e503bd83046f9bff20646011eee57aa305c8004c9c6ffb44101c4374d
                                                                                                        • Instruction ID: b6f8df352d73dd990a3ddf99fceba2a23c85a53c5e2c167b816c073424086064
                                                                                                        • Opcode Fuzzy Hash: 8c0f219e503bd83046f9bff20646011eee57aa305c8004c9c6ffb44101c4374d
                                                                                                        • Instruction Fuzzy Hash: 53510422B1990D0FF7A4EB2C946D7B93BD1EF98250F0601BBE44DC72A5DE189D428342
                                                                                                        Function 00007FFD9B3E4667 Relevance: .2, Instructions: 223COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 71bf72337dccb0fd9bd3864f9dc7275c5ff3d15209aa9634ff71dcb7b7916bbe
                                                                                                        • Instruction ID: 518aba7707552083608425a1cca059c5d12e5e4e45fa425c5e3c39c8db695e6c
                                                                                                        • Opcode Fuzzy Hash: 71bf72337dccb0fd9bd3864f9dc7275c5ff3d15209aa9634ff71dcb7b7916bbe
                                                                                                        • Instruction Fuzzy Hash: 5D81FE70A18A4E8FDB84EF58C895BADB7F1FF58304F50427AD41DD7296DA34A842CB40
                                                                                                        Function 00007FFD9B3F2665 Relevance: .2, Instructions: 215COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 077fece66d257e4f9ae0560ccb65ba35ee571396e5d2151a532751f084230e30
                                                                                                        • Instruction ID: 9d649720bb2019ac716a5d671b3f2479cfaf17080988106ba49ff9f662e25126
                                                                                                        • Opcode Fuzzy Hash: 077fece66d257e4f9ae0560ccb65ba35ee571396e5d2151a532751f084230e30
                                                                                                        • Instruction Fuzzy Hash: 46513321B1EA994FE765FBA8A8658F93FA0EF50320B0402BFE09DC71E3CD14A4458381
                                                                                                        Function 00007FFD9B3EE648 Relevance: .2, Instructions: 215COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b6c78ee67086de5c95c16410086777adca95b2c4bf41e472dbb4674333be304d
                                                                                                        • Instruction ID: 438d461d7b43651aa21c1a5684ccfc7e4b83fb088840672f6f4b13b3c3d287c8
                                                                                                        • Opcode Fuzzy Hash: b6c78ee67086de5c95c16410086777adca95b2c4bf41e472dbb4674333be304d
                                                                                                        • Instruction Fuzzy Hash: 8C512130719A0E5FE768EE5CD894A7177E0FB98710B15067ED44DC7262DE29F8828780
                                                                                                        Function 00007FFD9B3EA840 Relevance: .2, Instructions: 202COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8f7ca8a4b9a8c07059e32c07524f0856c733b3cd17fed0c622efad0a5edca620
                                                                                                        • Instruction ID: 0e1eb230968ed2f7b14c09d8efe3457a974c60362d1e67076c00dcc1ae53770a
                                                                                                        • Opcode Fuzzy Hash: 8f7ca8a4b9a8c07059e32c07524f0856c733b3cd17fed0c622efad0a5edca620
                                                                                                        • Instruction Fuzzy Hash: 0251D802F2F99E0BF775B6E864315F86F51EF51760B0A42FFD09E460EB9C4839468281
                                                                                                        Function 00007FFD9B3EA848 Relevance: .2, Instructions: 196COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a1f8461be12772900956955fe2121130985ec555f5dfd9553e2bce090722e762
                                                                                                        • Instruction ID: 856c49fe6d472608ea97132565a03a7607b9528bd19df5c977661ebc09da6338
                                                                                                        • Opcode Fuzzy Hash: a1f8461be12772900956955fe2121130985ec555f5dfd9553e2bce090722e762
                                                                                                        • Instruction Fuzzy Hash: 9351C702F2F99E0BF775B6E864315F86F51EF50764B0A42FFD09E460EB9C4879868281
                                                                                                        Function 00007FFD9B4015F9 Relevance: .2, Instructions: 191COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 848e881d248121c10ebca6a37a168fc322dc0b5f0d88c8140ebdb3f4fa59ae29
                                                                                                        • Instruction ID: 43054d683f2a857d672d376bc63e9c30dda53ce00e992b24a81435c79c24e397
                                                                                                        • Opcode Fuzzy Hash: 848e881d248121c10ebca6a37a168fc322dc0b5f0d88c8140ebdb3f4fa59ae29
                                                                                                        • Instruction Fuzzy Hash: D6510A3071CA5C4FDBA5EB6C8465AB937D1EF99340F0501ABF48AC32A7CE28ED418781
                                                                                                        Function 00007FFD9B3F4BF0 Relevance: .2, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3600b9986964f7f3e0b474c0ac8c6af680b431cf60c8a42d1785ebc092ef46c4
                                                                                                        • Instruction ID: 763b301e7918d0ed8150ecf8358b0f47dea54c673221f3b3c64d02b934a1aac3
                                                                                                        • Opcode Fuzzy Hash: 3600b9986964f7f3e0b474c0ac8c6af680b431cf60c8a42d1785ebc092ef46c4
                                                                                                        • Instruction Fuzzy Hash: 53512B22B0ED5D0FF7B9E76C94646797BD1EF99240B0901BEE04EC32E6DE18AD468341
                                                                                                        Function 00007FFD9B3EADFA Relevance: .2, Instructions: 181COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4d21277fb9a12eb8be436fb71ef3a05490ec855ade3fa083b3de4943b1171f32
                                                                                                        • Instruction ID: 8e070f4ad3cec4ef9e01ab0a02900d917caa9b629b51477acfaa48f077096e98
                                                                                                        • Opcode Fuzzy Hash: 4d21277fb9a12eb8be436fb71ef3a05490ec855ade3fa083b3de4943b1171f32
                                                                                                        • Instruction Fuzzy Hash: 6941D722B2EE4E4FD7A8E76C94616A573D1FFD525074541BBD04EC7296EE18EC024381
                                                                                                        Function 00007FFD9B3F3C30 Relevance: .2, Instructions: 172COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 98b5e9cf67183eb7128fda5023bbc422daa0aba4a2eb6a8557bc284feb077df3
                                                                                                        • Instruction ID: e51e288041daee8ecd9fa739887a993eef4c84a54eac16f389925590a49c0073
                                                                                                        • Opcode Fuzzy Hash: 98b5e9cf67183eb7128fda5023bbc422daa0aba4a2eb6a8557bc284feb077df3
                                                                                                        • Instruction Fuzzy Hash: D0410331719E0E4FE764EB59C894A617BE0FF58300B16067DD44DC7666DA39F882C780
                                                                                                        Function 00007FFD9B3FE8DB Relevance: .2, Instructions: 171COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 74d563954c61d226e72606dc74cf89ca04c378e1e1cbeda6af5b25616a721156
                                                                                                        • Instruction ID: a8fa5abf60571635074540180097519b9be83d802fe24d26cc4763483baeaae7
                                                                                                        • Opcode Fuzzy Hash: 74d563954c61d226e72606dc74cf89ca04c378e1e1cbeda6af5b25616a721156
                                                                                                        • Instruction Fuzzy Hash: C451F431B19D5D4FEF95FB688464AA937D1EF58300B0501BED44DCB2A7DE28AC068381
                                                                                                        Function 00007FFD9B3FAFC9 Relevance: .2, Instructions: 170COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5f31352892db357dc9ab71b44b284db9d52646c70d730884f531c5a52456779e
                                                                                                        • Instruction ID: 3810b761763e23babc01e498a557ea6b4c21b39251629946e3c66ba28d497781
                                                                                                        • Opcode Fuzzy Hash: 5f31352892db357dc9ab71b44b284db9d52646c70d730884f531c5a52456779e
                                                                                                        • Instruction Fuzzy Hash: 8C510970E1961D8FEB64EFA8C4A5AEDBBB1FF58300F51006ED009E7292DB356985CB01
                                                                                                        Function 00007FFD9B3F26F2 Relevance: .2, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e08ee08265fd5a421a3d3b966a3802c3b16d2a286a19039ee6ef0712b4d54961
                                                                                                        • Instruction ID: 4ba8bf8106533205b483831c264e265805a1255ca33b60507bad712a4ea2f8a5
                                                                                                        • Opcode Fuzzy Hash: e08ee08265fd5a421a3d3b966a3802c3b16d2a286a19039ee6ef0712b4d54961
                                                                                                        • Instruction Fuzzy Hash: 2F412531B19A5D4FEBA5EFA898619F93FE1FF54310B4002BEE49DC31D2DE24A9058781
                                                                                                        Function 00007FFD9B3E2F45 Relevance: .2, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 19ce2e533f6be48bb52fed6081bc0d3fd077a8da304249206db4a7459ab309ad
                                                                                                        • Instruction ID: 58593b395b78890cb0ca8bd1f4f982b76e05e878e5c2bd164841cc697bedd781
                                                                                                        • Opcode Fuzzy Hash: 19ce2e533f6be48bb52fed6081bc0d3fd077a8da304249206db4a7459ab309ad
                                                                                                        • Instruction Fuzzy Hash: 4B512970E19A0D8FDFA4EFA8C855AEDBBF1EF69304F11116AD00DE3291DA34A941CB40
                                                                                                        Function 00007FFD9B3EF5C4 Relevance: .2, Instructions: 159COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a1aab2dd40476e7987104cf42a524904e3349ee921a96b869de9bbd08e4a077
                                                                                                        • Instruction ID: 0b686a40e8895355c2c319732396078485e2b8c2535676cfd4845e13af2aba93
                                                                                                        • Opcode Fuzzy Hash: 2a1aab2dd40476e7987104cf42a524904e3349ee921a96b869de9bbd08e4a077
                                                                                                        • Instruction Fuzzy Hash: 4A516371F1491D4BEBA8EB5CC8A97A8B3E1EF58350F1001FAD41DD32A6DE346E818B40
                                                                                                        Function 00007FFD9B3EF58B Relevance: .1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ebc69fac645da7b577df4451637041390131d8cbf5da87a942e8173db8003532
                                                                                                        • Instruction ID: 08404db3e807748fad50e987481c54e5aa35971511250d6e8e8c4f7b2ac827a2
                                                                                                        • Opcode Fuzzy Hash: ebc69fac645da7b577df4451637041390131d8cbf5da87a942e8173db8003532
                                                                                                        • Instruction Fuzzy Hash: 63416471F1591E4FEBA4EB5C98A97A8B3E1EF58350F1001FAD41DD32A6DE346E818B40
                                                                                                        Function 00007FFD9B3F5140 Relevance: .1, Instructions: 146COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d4cca1e1a39d1725b9eb3b53a19bf725f54be5c50049426fa449ab0f552548ee
                                                                                                        • Instruction ID: cac1e479e50a44e07e7fbaf0ea9ff04a5de6cf28a38462c91796b8e2dd890300
                                                                                                        • Opcode Fuzzy Hash: d4cca1e1a39d1725b9eb3b53a19bf725f54be5c50049426fa449ab0f552548ee
                                                                                                        • Instruction Fuzzy Hash: AD41B03071DE4A8FEBA5EB2CC060E6277E1EF55300B1646BDD08AC76A6CE25F945C740
                                                                                                        Function 00007FFD9B3F4035 Relevance: .1, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3a340cd520bbe9206d895d87d65d2a790fa1cb343d259237118381747bd69a63
                                                                                                        • Instruction ID: 442f6178ed66632ae384680a8f23642c7a76908ef2003e36751ffea9a9072b84
                                                                                                        • Opcode Fuzzy Hash: 3a340cd520bbe9206d895d87d65d2a790fa1cb343d259237118381747bd69a63
                                                                                                        • Instruction Fuzzy Hash: 2C31A843B0FBDA1FF36296AE5CB14E56FA4EE9156030A07BFD084CA1A7ED142D564321
                                                                                                        Function 00007FFD9B3F0230 Relevance: .1, Instructions: 143COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b9cdba1ab5dd5d0c6aab5019b5a1a362e747a9cbe6f18f5517126bc8aa6648dc
                                                                                                        • Instruction ID: f95b30c6d114ec03f9834e69b90a1bd2198bf35d9f375eff9efa552b1643e45a
                                                                                                        • Opcode Fuzzy Hash: b9cdba1ab5dd5d0c6aab5019b5a1a362e747a9cbe6f18f5517126bc8aa6648dc
                                                                                                        • Instruction Fuzzy Hash: 99417631B19A4D8FEBA8EF58986557A3BD1FF98310F51017EE40DD3295CE35E9018781
                                                                                                        Function 00007FFD9B3EEA2D Relevance: .1, Instructions: 143COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cd154a598bad126072c1f89fd28317d88f43408ba14868e11574c374bfe642ca
                                                                                                        • Instruction ID: 4a9a0b503b8383385b28547d9822a0169ce2590af6870d24e62f3d47ac521d7a
                                                                                                        • Opcode Fuzzy Hash: cd154a598bad126072c1f89fd28317d88f43408ba14868e11574c374bfe642ca
                                                                                                        • Instruction Fuzzy Hash: 8D411832B1A56E4BE754F76CE8A56ECB7A0FF40325F0402BBD14DC61E3DE2465828780
                                                                                                        Function 00007FFD9B3E3048 Relevance: .1, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 59c12ecbe40e006759f048d6de3be28d9252bed0683b6c4fb81f90dc80177182
                                                                                                        • Instruction ID: 389e74d8d41b0eb9f90410104e126b5c709540a175c1f85f32b676a55373a5c5
                                                                                                        • Opcode Fuzzy Hash: 59c12ecbe40e006759f048d6de3be28d9252bed0683b6c4fb81f90dc80177182
                                                                                                        • Instruction Fuzzy Hash: 33418E31A18A4D8FDB98EF58D864AEA77B1FF98314F45017AE409D32A5CB35A841CB80
                                                                                                        Function 00007FFD9B3F5138 Relevance: .1, Instructions: 134COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0c9324a5f40c7b1ba951e9e9bea4429520d8cef980c4fed0a34b6ce428c43692
                                                                                                        • Instruction ID: f099768f8a903bb3c692b23a62824711f000e10e996c7e27ac183371137a1397
                                                                                                        • Opcode Fuzzy Hash: 0c9324a5f40c7b1ba951e9e9bea4429520d8cef980c4fed0a34b6ce428c43692
                                                                                                        • Instruction Fuzzy Hash: 2B41B03071DE498FEBA5EB2CC0A0E6577E1EF59300B1645ADD08EC76A6CE24F945CB40
                                                                                                        Function 00007FFD9B3EBF69 Relevance: .1, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b919d6eb74db607a5c056a458fde57bbcccdf69366034c0052836c0a8a23285d
                                                                                                        • Instruction ID: 60b889d65dc50941ea243d19040fbfccbaf88f28078e67be8b821708dcd92af9
                                                                                                        • Opcode Fuzzy Hash: b919d6eb74db607a5c056a458fde57bbcccdf69366034c0052836c0a8a23285d
                                                                                                        • Instruction Fuzzy Hash: 5E31E321A1EBC90FD7A6D77848715647BF1EF9625074A41FBC089CB1E7DA18AC068312
                                                                                                        Function 00007FFD9B3E5782 Relevance: .1, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a485d988523f6f231d864e807922dd27b5e806033aea626437743f2ca053d429
                                                                                                        • Instruction ID: 57dcbd7218c869ce5f26d4679379954131633e1a9619c11341b5e2cc27db9e9a
                                                                                                        • Opcode Fuzzy Hash: a485d988523f6f231d864e807922dd27b5e806033aea626437743f2ca053d429
                                                                                                        • Instruction Fuzzy Hash: 0B417E31A0AA1D8FDB55EFA8D4216ECB7B1FF4A310F52007ED009E76A1DB79A941CB40
                                                                                                        Function 00007FFD9B3FD801 Relevance: .1, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d98208cb9242c455e0125a58384f3418a1c6f301c63731fa9408184b05eaf682
                                                                                                        • Instruction ID: 1ff0b587c4722a83feeb001b511ee15de656efdd8157d928904b2e0077dca9b6
                                                                                                        • Opcode Fuzzy Hash: d98208cb9242c455e0125a58384f3418a1c6f301c63731fa9408184b05eaf682
                                                                                                        • Instruction Fuzzy Hash: DF41D631A0E68D4FEB96EFB888656A93FF0EF16300F0901BED049D71B3CA289945C751
                                                                                                        Function 00007FFD9B3EBDE7 Relevance: .1, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 887a518b63817ffd6d0ac6a353127074c0f6e124ce7ea2589cc6fac0c3a72c4b
                                                                                                        • Instruction ID: 878832690d595d9aa6f13acd3d9e1b1df271c251d2d046f8fa1251cbc40bc8c2
                                                                                                        • Opcode Fuzzy Hash: 887a518b63817ffd6d0ac6a353127074c0f6e124ce7ea2589cc6fac0c3a72c4b
                                                                                                        • Instruction Fuzzy Hash: 38313922B1AE4E0FD776EBAC54E56B8B7E1EB98350F0402BFC04DC31A6ED2869464340
                                                                                                        Function 00007FFD9B3E7180 Relevance: .1, Instructions: 128COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 634c93ba9f0ffab8cc4bd91b4220958a231a64eb7877c8e88936828a72b4f4c3
                                                                                                        • Instruction ID: 9ac0ea079e9e038236968f2ad65f67370037eab3122e3b5868c5524703fa49f3
                                                                                                        • Opcode Fuzzy Hash: 634c93ba9f0ffab8cc4bd91b4220958a231a64eb7877c8e88936828a72b4f4c3
                                                                                                        • Instruction Fuzzy Hash: D731C372B09D1D4FEBA4FA5C94A9BB937D2FB98310F05017AE40DD72A5DE24AC024381
                                                                                                        Function 00007FFD9B3FCF1D Relevance: .1, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1c1e34474706ae58c623334e1a517a203539d70f89be4c8d88b42eb1c84431e4
                                                                                                        • Instruction ID: e9d75f7916715e6c45011b91b37a5c037e8578e39d7f88fa223d76c75a07664b
                                                                                                        • Opcode Fuzzy Hash: 1c1e34474706ae58c623334e1a517a203539d70f89be4c8d88b42eb1c84431e4
                                                                                                        • Instruction Fuzzy Hash: AF317F30719A098BE768EB68C4E4AB573E1FF58308F55457DD49FC72A1CE29B9428780
                                                                                                        Function 00007FFD9B3F3615 Relevance: .1, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3373fdb268f444b87f7f149da7df59be98b57bdab1a04ecd012df0c4b3ced8d0
                                                                                                        • Instruction ID: a298dff7b5d70834300dba9e7c716161c5ca92b246339cde6fe0d442d6c2920b
                                                                                                        • Opcode Fuzzy Hash: 3373fdb268f444b87f7f149da7df59be98b57bdab1a04ecd012df0c4b3ced8d0
                                                                                                        • Instruction Fuzzy Hash: 37418230B19A4D9FEF94EFA8C8A86AD7BF1FF98300F00056ED019D72A1DA35A941C750
                                                                                                        Function 00007FFD9B3F0268 Relevance: .1, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 865cfcc92cc3ae26bdb6e2d50d29c57dd8b45d420f45e73c333bb15ccf7e0b85
                                                                                                        • Instruction ID: 889774a2c0b7d083a1a81b9ecd82c210f7c1494370d4ef90b6aca740e08e450b
                                                                                                        • Opcode Fuzzy Hash: 865cfcc92cc3ae26bdb6e2d50d29c57dd8b45d420f45e73c333bb15ccf7e0b85
                                                                                                        • Instruction Fuzzy Hash: 6331C531B1DA498EF7A0E65C9494676BBD2EBA4324F05067FE44CC22B1CA54EA81C386
                                                                                                        Function 00007FFD9B3F4070 Relevance: .1, Instructions: 115COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5d61d1f0ff2cf2b2554552e3b7746f6acab54ec29a48d79abad0bf6bfe9331c2
                                                                                                        • Instruction ID: a3c97080e3dc6a6c4e012beacd8b992dfd0d06b8a66254ee6e04622a05076eee
                                                                                                        • Opcode Fuzzy Hash: 5d61d1f0ff2cf2b2554552e3b7746f6acab54ec29a48d79abad0bf6bfe9331c2
                                                                                                        • Instruction Fuzzy Hash: C0210622B0EE4E4FFBE8E91C64B46B967C2EB98261B4141BAD80DC36A5DE15ED024340
                                                                                                        Function 00007FFD9B3FCFF0 Relevance: .1, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2ff381208b5b1906f1e0d973f86583e5952282aba04f9d0bf08843cdc666f9d6
                                                                                                        • Instruction ID: 9181a66bcab4020bd293272757023500b8485d0b5acf25f7630406b3548e705f
                                                                                                        • Opcode Fuzzy Hash: 2ff381208b5b1906f1e0d973f86583e5952282aba04f9d0bf08843cdc666f9d6
                                                                                                        • Instruction Fuzzy Hash: 8F21D532B0D91D4FEB94F75CA8A57E837D1EF99320F0902BAE40DC7296DD156C468381
                                                                                                        Function 00007FFD9B3FA265 Relevance: .1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 67a9f3c9c0d92fc401551477917f3b253b72b201cea535dba630da21a1ac16ff
                                                                                                        • Instruction ID: 9e9bb75c8576be5f0aa940882e0aad1ad2946cd2c769302cc2a5f02972dff1e2
                                                                                                        • Opcode Fuzzy Hash: 67a9f3c9c0d92fc401551477917f3b253b72b201cea535dba630da21a1ac16ff
                                                                                                        • Instruction Fuzzy Hash: 5931E33170EB9C4FE769E65D98556753BE0EF56321F0602BEE089C71B2D924BC028351
                                                                                                        Function 00007FFD9B3FCFC0 Relevance: .1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 14eff5cbcac5c3714743482d82ace17bfab44cfa1024b787561943550ecb040a
                                                                                                        • Instruction ID: c522615eae1c6b9aaca80adbbd1b08087ca1ace2080126575727b147c3cdda02
                                                                                                        • Opcode Fuzzy Hash: 14eff5cbcac5c3714743482d82ace17bfab44cfa1024b787561943550ecb040a
                                                                                                        • Instruction Fuzzy Hash: 63319532B1991D4FEBA4FB5CA469BF877D1FF58311F0502BAE40DC7296DE2469018781
                                                                                                        Function 00007FFD9B3FCFA8 Relevance: .1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a8ed9d13264cb83a926ef18fdcfc8678c30e88f481e582d0b0d0b55e44fc4609
                                                                                                        • Instruction ID: 31d3dfc63862b6c503f847c968065dc5217e8d3ab03dda4e034c4364443bb75c
                                                                                                        • Opcode Fuzzy Hash: a8ed9d13264cb83a926ef18fdcfc8678c30e88f481e582d0b0d0b55e44fc4609
                                                                                                        • Instruction Fuzzy Hash: 13316820B1DA1E4BFB68D768D0686F573D1EF40304F0988BAD44EC71EAD92D7D818390
                                                                                                        Function 00007FFD9B3F6E69 Relevance: .1, Instructions: 108COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 335be043de1e02040c2f8501791fce3b7d840d17631686ef9a921b093b03b42e
                                                                                                        • Instruction ID: 1ff532e97f8417157c0eb99a214ddc2f65ce6535ac6370a3d77d87f81fda635b
                                                                                                        • Opcode Fuzzy Hash: 335be043de1e02040c2f8501791fce3b7d840d17631686ef9a921b093b03b42e
                                                                                                        • Instruction Fuzzy Hash: 52314C3160DB8A4FE715EB388829565BBE1FF95350F0442BED489C71E2DE24A941C742
                                                                                                        Function 00007FFD9B404340 Relevance: .1, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dbb686889830e72c2b4709c1b7a62a904af4e49bfcad44a8843582e67acdfb9f
                                                                                                        • Instruction ID: 3ecfac3169f9a052b66450528dbe6c546618a25eecb086a344dcb900aa064b4a
                                                                                                        • Opcode Fuzzy Hash: dbb686889830e72c2b4709c1b7a62a904af4e49bfcad44a8843582e67acdfb9f
                                                                                                        • Instruction Fuzzy Hash: 81312330B19E5A4FE769D678C4A4BB177E1FF54308F05457DC49EC32A5EA28B88287C0
                                                                                                        Function 00007FFD9B3F98C8 Relevance: .1, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 16cce6c0cfb31d8b281937512aeb5844c11e9671177c69e9aaf6545840009a2f
                                                                                                        • Instruction ID: bc9c87d167cd48c1022070c37883e6c4bf7b11cecb4d49e977c6468878cde741
                                                                                                        • Opcode Fuzzy Hash: 16cce6c0cfb31d8b281937512aeb5844c11e9671177c69e9aaf6545840009a2f
                                                                                                        • Instruction Fuzzy Hash: EC319A3160EBC64FD757CB6888646817FF0EF4722471A05EBC489CB0B3E6689D4AC761
                                                                                                        Function 00007FFD9B3FD03A Relevance: .1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 10a01d4a1481a565cbdfba6cfde7c8ae58617049712b578296d79958c0b3550f
                                                                                                        • Instruction ID: c3a53159916c025da842d3fa461e907e15806b0b684f0cb6236da871e9493814
                                                                                                        • Opcode Fuzzy Hash: 10a01d4a1481a565cbdfba6cfde7c8ae58617049712b578296d79958c0b3550f
                                                                                                        • Instruction Fuzzy Hash: 35219431B19D1D4FEBA4FB5C9499BA97BE1FB98310F0502BAE40DD7255DE209D018781
                                                                                                        Function 00007FFD9B3F2B8D Relevance: .1, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a93a85b002e394b5de715da1be83caf789338ef847e72818bfbbcb3fa18496d1
                                                                                                        • Instruction ID: 0b82698b0142aba04dfbe1b96145ce45f49e7359465cb3e15451891929f7005a
                                                                                                        • Opcode Fuzzy Hash: a93a85b002e394b5de715da1be83caf789338ef847e72818bfbbcb3fa18496d1
                                                                                                        • Instruction Fuzzy Hash: FC212B23B4FA4D0AF67491AD38B61B42BC1DB912A874E01BBE54CCA1B2D84B58439290
                                                                                                        Function 00007FFD9B3EE938 Relevance: .1, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3285c7c0c0c54540dcbef54c0c71e632e363a0f5fd4ab4120f98aea264115ac
                                                                                                        • Instruction ID: e7b2f05aa363e17a7455397779d7f3a25b01db844734619af9395604265d9fcf
                                                                                                        • Opcode Fuzzy Hash: c3285c7c0c0c54540dcbef54c0c71e632e363a0f5fd4ab4120f98aea264115ac
                                                                                                        • Instruction Fuzzy Hash: 6221362171FA8A4FF766E73C88259647FE1DF9624070981FED088CB1B6D918A846C340
                                                                                                        Function 00007FFD9B3EBE16 Relevance: .1, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3f58527d0026b9c99966ac25b5bf878050d6dd862e21f5283bc1bb232fa79637
                                                                                                        • Instruction ID: a9130a97011f965138f7324f6820d256bf950fae511d69197cc320aeb12bcae7
                                                                                                        • Opcode Fuzzy Hash: 3f58527d0026b9c99966ac25b5bf878050d6dd862e21f5283bc1bb232fa79637
                                                                                                        • Instruction Fuzzy Hash: 0C212922B0EE8E0FE7A6FB9C54E52F477E1EBE9250B0501BBC44DC71A7ED1869464380
                                                                                                        Function 00007FFD9B3F6D59 Relevance: .1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cbf49b373ad73f0828ceada051b95ff05b8fd1fbab5e3c82f067634f978f19b8
                                                                                                        • Instruction ID: 84f1fededb9b1ea2f9975b5e575ac14ce6f4e396c58dbdd2d27fb21f9cd9f841
                                                                                                        • Opcode Fuzzy Hash: cbf49b373ad73f0828ceada051b95ff05b8fd1fbab5e3c82f067634f978f19b8
                                                                                                        • Instruction Fuzzy Hash: 3821D02171FBCA4FE753E77888645A03FE1EF5764070A81EAD084CF1B7D919A949C351
                                                                                                        Function 00007FFD9B3E3AA5 Relevance: .1, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0ef541ba4c634721c5be4fbd9e0fa26862010a6af82ec2ce27591059d68342f2
                                                                                                        • Instruction ID: 31e61e7aeb10eac170d4d6e78ea44db2abb65b1b0fc0d1d6170495e46056982c
                                                                                                        • Opcode Fuzzy Hash: 0ef541ba4c634721c5be4fbd9e0fa26862010a6af82ec2ce27591059d68342f2
                                                                                                        • Instruction Fuzzy Hash: 6D31B371E0AA4D9FDB46DF78C4105A97BF1EF56310F1500ABD008DB2A2DB399981CB90
                                                                                                        Function 00007FFD9B3EE1E8 Relevance: .1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3f1e2f5c4a3b76aca4a2e66aff884b46e22cd133c3ee3c9d616b0028bd09c6d
                                                                                                        • Instruction ID: 0f1d2120ae3aebc2881e38daf09866d60efdb57e5a50fb1e1a1b28ec7700b8b8
                                                                                                        • Opcode Fuzzy Hash: c3f1e2f5c4a3b76aca4a2e66aff884b46e22cd133c3ee3c9d616b0028bd09c6d
                                                                                                        • Instruction Fuzzy Hash: AB214E31B08A494FE7A9FB3C84655BD7BD2EF99310B05467EC05EC31EBDD1865028741
                                                                                                        Function 00007FFD9B3F5DCD Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 176e86e8a59b1d04c765b0d3759f4763f15d604c9a5a99b7071cc2fe12215c79
                                                                                                        • Instruction ID: 6dbba1c1ad41efe4f6384c5f10a367411caf13bda2503350f8e0259a54409b66
                                                                                                        • Opcode Fuzzy Hash: 176e86e8a59b1d04c765b0d3759f4763f15d604c9a5a99b7071cc2fe12215c79
                                                                                                        • Instruction Fuzzy Hash: E7115B32B0EE4D0FF7E5E26C646A2B57BC2EB9926171502BFD44DC31A6DD1589034381
                                                                                                        Function 00007FFD9B3E2E38 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3cfead7874ba013c2e5d9e40ad5d1476da656b6dd2e321cf32e62780589940e7
                                                                                                        • Instruction ID: f9f1776383dad338c328cbdc58bc6e99469b082dd4645208835b5b807850502b
                                                                                                        • Opcode Fuzzy Hash: 3cfead7874ba013c2e5d9e40ad5d1476da656b6dd2e321cf32e62780589940e7
                                                                                                        • Instruction Fuzzy Hash: 69212962A1EACD4FEBA5EFAC9C542E97BA0FFA5200F0501BFD448C71E6DA206901C341
                                                                                                        Function 00007FFD9B3EEAE5 Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 14e3f0f581cdc7da5acff7775ee9f4e92161ca603c09e2d7779b433b27f8a5e9
                                                                                                        • Instruction ID: 5bd25c60a99ef5c9bb6e36297bd707c3c62478fe486fdf0c6762e0681703b341
                                                                                                        • Opcode Fuzzy Hash: 14e3f0f581cdc7da5acff7775ee9f4e92161ca603c09e2d7779b433b27f8a5e9
                                                                                                        • Instruction Fuzzy Hash: D2218271A1E69D4FEBA9EA6888652A877B1FF54300F0101BBD44DC61E2DE346A828B40
                                                                                                        Function 00007FFD9B3ED365 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: eb0126f1dc11cf9f89497f6160c0bbd571043fb16eb8a59caf446870d4fb4bc4
                                                                                                        • Instruction ID: 2a43b66ce06f8105fd67b20c4de3e336609eed6434fdabdd62e90339a0ae4583
                                                                                                        • Opcode Fuzzy Hash: eb0126f1dc11cf9f89497f6160c0bbd571043fb16eb8a59caf446870d4fb4bc4
                                                                                                        • Instruction Fuzzy Hash: AC213D12B1AB894BD725F37894656E67BA0EF81314F0501BFD0DDC71E3DD6475858350
                                                                                                        Function 00007FFD9B3E89A5 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ed8cb9acb3567568a0447ad67916a0b713a8166246e0e18c15c3b0575b73d07f
                                                                                                        • Instruction ID: 5d22805a122d544611ed0effe470d43469eed42fa912a474f28e50b4ad19bb23
                                                                                                        • Opcode Fuzzy Hash: ed8cb9acb3567568a0447ad67916a0b713a8166246e0e18c15c3b0575b73d07f
                                                                                                        • Instruction Fuzzy Hash: 8721B730D0A64E8FDB75EE6494106E8B7B0EF46314F15037ED40CDB1A1DB359A85C750
                                                                                                        Function 00007FFD9B3E425B Relevance: .1, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                        • Instruction ID: 002a60cdc9a440b049c487f3b0b7b57de18d006681b57fb7c8a71ad9abfe2ce3
                                                                                                        • Opcode Fuzzy Hash: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                        • Instruction Fuzzy Hash: 9D219D3188E3C94FD3239BA068225E97F789F03211F0B01EBD08CDB4A3C52D569AC762
                                                                                                        Function 00007FFD9B3FE72F Relevance: .1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a812b71fcabf24a14b85434e93ee594dba326476626e6f9957d25061a4be4fe
                                                                                                        • Instruction ID: 1a5551b3c6c148843218328d7fe54fe54bc903069cbdaefe7492f7b761defc91
                                                                                                        • Opcode Fuzzy Hash: 2a812b71fcabf24a14b85434e93ee594dba326476626e6f9957d25061a4be4fe
                                                                                                        • Instruction Fuzzy Hash: 2921D631B1995D4FEFA4FB58C4A5BA937D1EF68300B0540BAD84DC729BDD24AC458781
                                                                                                        Function 00007FFD9B3F60D1 Relevance: .1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2c80edaacdb2b3123c9ecb4ce77fe258ddf4266fca1406828dbd8b6282157c83
                                                                                                        • Instruction ID: 936e2b6fa514171bb7c2e1551bbf2bc54795fcebb8622b0ee3b3de5f766736a1
                                                                                                        • Opcode Fuzzy Hash: 2c80edaacdb2b3123c9ecb4ce77fe258ddf4266fca1406828dbd8b6282157c83
                                                                                                        • Instruction Fuzzy Hash: F2119122B1FA890FF7E595A92CBA1653EC2EF9960075A41FFE448C72B3E9159D01C241
                                                                                                        Function 00007FFD9B3F5E20 Relevance: .1, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d21d09986618671e8476a45d8ec2e24e34cc81cf4a3e21dc54c60f077d6b8f4b
                                                                                                        • Instruction ID: 78f6286352b3b8f4379960d786195fb9559d56266e6a634c6a82efccf7c4f9d1
                                                                                                        • Opcode Fuzzy Hash: d21d09986618671e8476a45d8ec2e24e34cc81cf4a3e21dc54c60f077d6b8f4b
                                                                                                        • Instruction Fuzzy Hash: 7311A532B1AD0E0FFBE8E65C64A46B567D2E7E8266715017FD45EC32A4DD15D8434380
                                                                                                        Function 00007FFD9B3EADF8 Relevance: .1, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d797aacf4565646c1685cacd6a67a24d226352710d23017f90fd161bdbf96bfd
                                                                                                        • Instruction ID: 3938d1c83198342a9cc6672239645e4304c8b95991872c584a2837d0e5cca47b
                                                                                                        • Opcode Fuzzy Hash: d797aacf4565646c1685cacd6a67a24d226352710d23017f90fd161bdbf96bfd
                                                                                                        • Instruction Fuzzy Hash: BE11E721B2EE4E4BD799E72C84A15E973D1FFD4250745067BC05AC72D6DD18A8428381
                                                                                                        Function 00007FFD9B3F60F0 Relevance: .1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 641641a477d15b021ce5b7577724dfa2c871c594c2f4344574914ba48e94247e
                                                                                                        • Instruction ID: a3e6346cf287cbce381c7932c96f39d039541431bf7a2facbd9be0f370ca3a67
                                                                                                        • Opcode Fuzzy Hash: 641641a477d15b021ce5b7577724dfa2c871c594c2f4344574914ba48e94247e
                                                                                                        • Instruction Fuzzy Hash: E711E532B0FD4D0FF6E494AE3CA61753AC6DB9961174641BFE80CC7276DC129C42C281
                                                                                                        Function 00007FFD9B3FAE80 Relevance: .1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 41de42a161db7b4cfa5e17a68608f4f98b3bfa1e4b61ac0a2cb04dc5dfeb1de3
                                                                                                        • Instruction ID: 4694adf99651614dc86d860267158653066b3b3bf780a48ca7cc18af474a0b1c
                                                                                                        • Opcode Fuzzy Hash: 41de42a161db7b4cfa5e17a68608f4f98b3bfa1e4b61ac0a2cb04dc5dfeb1de3
                                                                                                        • Instruction Fuzzy Hash: 2A21B262A1FBCD5FF762E6B44D341B47FB1AF12240B1901FFD4888B4E3E9196A188352
                                                                                                        Function 00007FFD9B3FAE90 Relevance: .1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 43f407284751d88428ceb7c298436241681616f5d7c666de2e5bdfc59276f515
                                                                                                        • Instruction ID: 55205b5daea24db1d80c9778bb276f95fcee8915cccd94f9b42bc659848b5f19
                                                                                                        • Opcode Fuzzy Hash: 43f407284751d88428ceb7c298436241681616f5d7c666de2e5bdfc59276f515
                                                                                                        • Instruction Fuzzy Hash: 21218062A1FBCD5FF722A6A84D39164BFB16F13200B5900EED4988B4E3D91956188352
                                                                                                        Function 00007FFD9B3F7136 Relevance: .1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e4c64eeae1115d9d022caf804e5c59f23a987071daac64f9331230daf8552a84
                                                                                                        • Instruction ID: 39b25cae6f0a6009e0178295528ad0ddf7964aa5c190ddb3dacc3a9fb2358f09
                                                                                                        • Opcode Fuzzy Hash: e4c64eeae1115d9d022caf804e5c59f23a987071daac64f9331230daf8552a84
                                                                                                        • Instruction Fuzzy Hash: F511B47060D7889FE778EF28841CBA67BE1EFA9311F01457E94CCC3262EE3468458742
                                                                                                        Function 00007FFD9B3F5312 Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3ecffb1da68568fe1e1216697de451d1f9eae7e0bbb5e5fbf7c398329fe5229e
                                                                                                        • Instruction ID: 86d5175a4460ab09c52d74233879a19f6f11f5eeb1c5ef0b12aac4bb15fcdefb
                                                                                                        • Opcode Fuzzy Hash: 3ecffb1da68568fe1e1216697de451d1f9eae7e0bbb5e5fbf7c398329fe5229e
                                                                                                        • Instruction Fuzzy Hash: B3115E63B0EE4F4FFBB8EA5CA06436467D1EBA8251716457FD00EC35A5DE11AD068740
                                                                                                        Function 00007FFD9B3ED965 Relevance: .1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a73836c3a61581635af027657f84927eea52d78c126ade327397a4eee6679c2a
                                                                                                        • Instruction ID: a998153df6f85f84fb1b15a253fb567b57f3b46ff7afe181af08d0d51544f9fe
                                                                                                        • Opcode Fuzzy Hash: a73836c3a61581635af027657f84927eea52d78c126ade327397a4eee6679c2a
                                                                                                        • Instruction Fuzzy Hash: EC11587150F7C85FD3079B7888649507FF0AF6720070A41EFD489CB2B3CA28A986C722
                                                                                                        Function 00007FFD9B3EA01F Relevance: .1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 30e112c51a496132d94373f5bff2ed01c3853ac7996ea461427544f1995ae5b2
                                                                                                        • Instruction ID: 7811536de6ab9a9dc590fb05c2641bc3ac1b64715a567f7d19814cf4940737b9
                                                                                                        • Opcode Fuzzy Hash: 30e112c51a496132d94373f5bff2ed01c3853ac7996ea461427544f1995ae5b2
                                                                                                        • Instruction Fuzzy Hash: 70115E70619B489FE778EF28C85DBB77BE5EBA9311F01452E948DC3261EF7068418782
                                                                                                        Function 00007FFD9B3FAEA0 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ddb9c1858bd268858c96f2d67afb3ca769114b0421a890b2c8e46e2403bd6986
                                                                                                        • Instruction ID: 768cd177592b3338d78203d6886ecaae911a6963739e7f897cb236df1f8954c0
                                                                                                        • Opcode Fuzzy Hash: ddb9c1858bd268858c96f2d67afb3ca769114b0421a890b2c8e46e2403bd6986
                                                                                                        • Instruction Fuzzy Hash: 35118161A1FBCD5FF762EAA44D341747FB1AF16200F1901FFD4988A4E3D91966188342
                                                                                                        Function 00007FFD9B3EA670 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0f9954176a29a54404af5751b5ee941046093120226e857075b7fb44e9b6c9aa
                                                                                                        • Instruction ID: cd2da69f48280d8f63ffca5d1d42fbc42dee6a844d477fbc89664b733ef7dfeb
                                                                                                        • Opcode Fuzzy Hash: 0f9954176a29a54404af5751b5ee941046093120226e857075b7fb44e9b6c9aa
                                                                                                        • Instruction Fuzzy Hash: 0A016231B1990D0FD7A4EA5DA85577633C6EBD9320B41067BE50DC3266ED15E8418391
                                                                                                        Function 00007FFD9B3F8413 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c0c90bf27b7f76b46b83050d3491871c6e857080c797e3e1ac342881248b0844
                                                                                                        • Instruction ID: 2d076ee62efeba404a70368adfacf7d07c8983a4988ca8a056b1dd7751a9dc14
                                                                                                        • Opcode Fuzzy Hash: c0c90bf27b7f76b46b83050d3491871c6e857080c797e3e1ac342881248b0844
                                                                                                        • Instruction Fuzzy Hash: 58018632B4DC0C8FEAD8EA1CA495A7077D1EBA932031506EAD44DC7262D911EC424740
                                                                                                        Function 00007FFD9B3FAEB0 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e38c887a3923963ab89a1a281e148201cd3e33ae4c04f60d5ff4cf85464d0fc4
                                                                                                        • Instruction ID: 5e33825ab148424ade405a399e90b7b95d6ceb1f1daeee4268a0d96a8a51b725
                                                                                                        • Opcode Fuzzy Hash: e38c887a3923963ab89a1a281e148201cd3e33ae4c04f60d5ff4cf85464d0fc4
                                                                                                        • Instruction Fuzzy Hash: 97119161A1FBCD4FF762AA644C341747FB1AF13200F4900FFD8588B4E3D91966088342
                                                                                                        Function 00007FFD9B3E52FD Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c0de67f50632a16a828317222c52edb733d96cba57dacb2f43b00a9d8e7bee0f
                                                                                                        • Instruction ID: 1d6fd68e1a4ad8962f4ae8d669ec885c46d1c78f07dd3a40908dc21941acf7bd
                                                                                                        • Opcode Fuzzy Hash: c0de67f50632a16a828317222c52edb733d96cba57dacb2f43b00a9d8e7bee0f
                                                                                                        • Instruction Fuzzy Hash: 2B01F23188F2CA6FD312AAB098621E53BA0EF07214F0600ABE0488A8E2D95D164AC391
                                                                                                        Function 00007FFD9B3FC765 Relevance: .1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d6ab1e34e7d94938f68873d484efc7e989ca4e6b4103232442e5c8f59c9acde2
                                                                                                        • Instruction ID: d96f3838322c0a1a07f552cefa9d8b78664c445b9229b87ccd2c3e571d61acc3
                                                                                                        • Opcode Fuzzy Hash: d6ab1e34e7d94938f68873d484efc7e989ca4e6b4103232442e5c8f59c9acde2
                                                                                                        • Instruction Fuzzy Hash: 9501F221B1DA480FF798E76C94A93B5B7D1EF59711B9900FED408C72F6DE1AAC408301
                                                                                                        Function 00007FFD9B3F79B1 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 87e4322ece52f05ef32069c6d1006c8fe28946ae0afd851351f8a6ee2522a99a
                                                                                                        • Instruction ID: f578bce202834b39ade51362580a60ca2f957d9ae9a2cfce49c00579eb2df436
                                                                                                        • Opcode Fuzzy Hash: 87e4322ece52f05ef32069c6d1006c8fe28946ae0afd851351f8a6ee2522a99a
                                                                                                        • Instruction Fuzzy Hash: 2EF0BB2271D5880FE754A55CAC5D9723FD4DB6613531601FFE448C7173E90298028355
                                                                                                        Function 00007FFD9B3FEA8D Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 581c2ca48a3b917d444c024c0a8ca436ca4b3025665811f7ea30bec622495dd1
                                                                                                        • Instruction ID: 6357f32f0ee83d9492167c50c5e5de4a4d877b861bbf8ac6710181728fa3e5f1
                                                                                                        • Opcode Fuzzy Hash: 581c2ca48a3b917d444c024c0a8ca436ca4b3025665811f7ea30bec622495dd1
                                                                                                        • Instruction Fuzzy Hash: AF01F21170EEDE4BFB66E7B844706B52FE2EF59210F4901BEC4C9C2193DD486981C341
                                                                                                        Function 00007FFD9B3EA0FD Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e9d27b9f9477c92d5c37e8e3be63118b5aa02a0c4fc2eb89f08ba96ca717528b
                                                                                                        • Instruction ID: 2459fa819855fd53cdbccea83934c2410f1eae92154e31b8401db17a9f0351ba
                                                                                                        • Opcode Fuzzy Hash: e9d27b9f9477c92d5c37e8e3be63118b5aa02a0c4fc2eb89f08ba96ca717528b
                                                                                                        • Instruction Fuzzy Hash: 11019732B2AA4D5FE765EFA888655ED7FE0FF80240F0000BFD449C61A2ED302A858740
                                                                                                        Function 00007FFD9B3FAEC5 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 35583304dd8014fb0941fe5ceb14736928931dcf7d8e81ce8842c2f894581709
                                                                                                        • Instruction ID: c830ba3ca401ba816bc4129458369e09cf4f201c3f70c9a9a18973e383bff04d
                                                                                                        • Opcode Fuzzy Hash: 35583304dd8014fb0941fe5ceb14736928931dcf7d8e81ce8842c2f894581709
                                                                                                        • Instruction Fuzzy Hash: CB019E61A1F7CD5FE763DB648C641B87FB0AF07200F0A01EBD888CA4E3D9196A588342
                                                                                                        Function 00007FFD9B3EAE30 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d149afd41b7660ce7d26b04a2561cb79aed03110435b6ec6f6a789a8d3412ac7
                                                                                                        • Instruction ID: 39224d8725116fd67cbac85585025d0f9d56b3318df1d9063a23ee63f5f28000
                                                                                                        • Opcode Fuzzy Hash: d149afd41b7660ce7d26b04a2561cb79aed03110435b6ec6f6a789a8d3412ac7
                                                                                                        • Instruction Fuzzy Hash: 07016221B39E4E4BDBA8EB1C80A09AAB3D1FFD4200745457AD44AC3299EE29E8418380
                                                                                                        Function 00007FFD9B3E4228 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                        • Instruction ID: ff3ea00e79624447bed395601a40457f44753bfc097d4bf8dc864bb5cd71c30f
                                                                                                        • Opcode Fuzzy Hash: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                        • Instruction Fuzzy Hash: 98F0A935E4950C8BEB20AE94A4002F8F7B4EB86354F01203FD00CA7250D73A9A95CB48
                                                                                                        Function 00007FFD9B3E8A22 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                        • Instruction ID: 2950ed9ea3a6427f2444ff2c716773f9902ae8b2726b9e4c700a01d32797705c
                                                                                                        • Opcode Fuzzy Hash: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                        • Instruction Fuzzy Hash: 1DF0CD35E4960E8BD720EE94B0002F9F7B4EB82310F01223BD00CA7250D73ADA96CB48
                                                                                                        Function 00007FFD9B3EBF80 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 416c0761a1d16f6c23aaf4bfe0b377889c9061ea37847fddc0104c3b347e539c
                                                                                                        • Instruction ID: 684ba2edff428a7e56e7250f07724ab922cdc96fbb7c93324256a9863eef7f47
                                                                                                        • Opcode Fuzzy Hash: 416c0761a1d16f6c23aaf4bfe0b377889c9061ea37847fddc0104c3b347e539c
                                                                                                        • Instruction Fuzzy Hash: 9F018631B29D4F4FDBA9EB1C94A19B6B3E1FFA8300744467AD01DC7299EE24E9428741
                                                                                                        Function 00007FFD9B3FD17D Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6ca10aa2c7353c7d246148bc9953923be0d120f97d68959e1f1bceed4b049e1f
                                                                                                        • Instruction ID: 878ae2692ad790bab04d0c3e1541a4b6d95a5907e9d1497acbfb400a4d2e6c93
                                                                                                        • Opcode Fuzzy Hash: 6ca10aa2c7353c7d246148bc9953923be0d120f97d68959e1f1bceed4b049e1f
                                                                                                        • Instruction Fuzzy Hash: 26018645B5F6CA1FE7A3B3B81C741A52FA59E4312570E02EBE0C8C60A7D80C5A56C396
                                                                                                        Function 00007FFD9B3E4DC8 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f16d28598963de35dc23b17e7edb54bfe6db881bbde8630fb8898f6cb673999a
                                                                                                        • Instruction ID: fc1cf6ca1c192acaf32c49d3a5e2be831867cde349d4aa136c3cb3f03b14bc9b
                                                                                                        • Opcode Fuzzy Hash: f16d28598963de35dc23b17e7edb54bfe6db881bbde8630fb8898f6cb673999a
                                                                                                        • Instruction Fuzzy Hash: E1010C31E0551D8FDB95EF68D860BA8B7B1EF89314F5041BAD04DE3295CE755D82CB40
                                                                                                        Function 00007FFD9B3E4B89 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4488672c00fa22a9ea74c120fb70da8104fbc57722f35776163b6bcb62af4b1e
                                                                                                        • Instruction ID: 83fb2eed3d4c06d27f23f5f552c80e092a8851dc85463b73334f451eae91bc8e
                                                                                                        • Opcode Fuzzy Hash: 4488672c00fa22a9ea74c120fb70da8104fbc57722f35776163b6bcb62af4b1e
                                                                                                        • Instruction Fuzzy Hash: 1901D43190E6CD5FE752EB6888652A87FB0EF09210F0601FBC488CB0B2EA285A45C741
                                                                                                        Function 00007FFD9B3FAF40 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8a685ca682077751e88a9f8a96a658c3d3011be84cc2c344e124b6660831d3c2
                                                                                                        • Instruction ID: 999dbc2b01f8dbc6abb5db94f5d8489a193ea4af4134005cf8077f0217f475ab
                                                                                                        • Opcode Fuzzy Hash: 8a685ca682077751e88a9f8a96a658c3d3011be84cc2c344e124b6660831d3c2
                                                                                                        • Instruction Fuzzy Hash: 4401A261A1F7CC5FE7679B744C641B87FB0AF07200F5500EBD888CA4E3D9296A58C342
                                                                                                        Function 00007FFD9B3EAF99 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4104c9f9d1d5f626f4218e75c11fd0920cb1d18aafc3092a80a176b7807df354
                                                                                                        • Instruction ID: 66aeaf87d5f7629ab3ad55e60004590c92c00b3ebadca6db2d456e2d0875b0d1
                                                                                                        • Opcode Fuzzy Hash: 4104c9f9d1d5f626f4218e75c11fd0920cb1d18aafc3092a80a176b7807df354
                                                                                                        • Instruction Fuzzy Hash: 4A01A930A29B8E8FDB46EF6888641AD7FF0FF55200B0005ABD469C72A2EAB459148341
                                                                                                        Function 00007FFD9B3F4121 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7c813346909ffbfaee01af21888f4150bc28b2b158f06ecedb0956045a60dcee
                                                                                                        • Instruction ID: 8a2f1496919faa884209051c4413ce5da83bcff682fbe124a4555da664c10640
                                                                                                        • Opcode Fuzzy Hash: 7c813346909ffbfaee01af21888f4150bc28b2b158f06ecedb0956045a60dcee
                                                                                                        • Instruction Fuzzy Hash: 98F0FC626496CD1FF771DA6884717E57FA1EF51240F0501FBD08DD7193ED241A05C781
                                                                                                        Function 00007FFD9B3F9763 Relevance: .0, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 342a8011a6fb2ca9ab625ef62865d7d0013f8099004315159c2fecb5f99cd3e1
                                                                                                        • Instruction ID: c9cf7ab5089991df3a4158b3e85f93716bb83d6e8c8438f4cf05e68d47b06c15
                                                                                                        • Opcode Fuzzy Hash: 342a8011a6fb2ca9ab625ef62865d7d0013f8099004315159c2fecb5f99cd3e1
                                                                                                        • Instruction Fuzzy Hash: B901812170AA8C8FE7A5EA28D49CB69BBE1FF95301F5502B9D04DC72A5CB34A844C700
                                                                                                        Function 00007FFD9B3E25AB Relevance: .0, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 54c6317a01a7e6b205950192ffc5279ca1a4bf57a0e0761f6ddb412b2b2f52ef
                                                                                                        • Instruction ID: 07b2e2460c14d8fdc1e684625133b9363fd006c87dd06845addc4e5fe32534e8
                                                                                                        • Opcode Fuzzy Hash: 54c6317a01a7e6b205950192ffc5279ca1a4bf57a0e0761f6ddb412b2b2f52ef
                                                                                                        • Instruction Fuzzy Hash: 6901DA71B1951D8FDBA4EB9898997E9B3A1EB98300F0002E6900DE2191DE346981CF41
                                                                                                        Function 00007FFD9B3F0B02 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 459b07e5fb4502601df4cf6dd217e2fd679813b21a26db88025c2bff53a562aa
                                                                                                        • Instruction ID: 2819bdbee9dae994011df12bcc0dad2c6e58f81b223e30f6b2dbee799d73ea0b
                                                                                                        • Opcode Fuzzy Hash: 459b07e5fb4502601df4cf6dd217e2fd679813b21a26db88025c2bff53a562aa
                                                                                                        • Instruction Fuzzy Hash: 2AF0F42170EACA1FE766EB7C84645A0BFE1AF45350B0E01EBC488CB1A7DE18E9858341
                                                                                                        Function 00007FFD9B3E9E95 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f73c9c1f7fbbd87cacec8dc9de636c85ee615cc7fcb807f35bbcdaef114d5699
                                                                                                        • Instruction ID: 0fd5e56240ece56b3f81f1397841269e74410c5eea9a16bea883e2d2816904aa
                                                                                                        • Opcode Fuzzy Hash: f73c9c1f7fbbd87cacec8dc9de636c85ee615cc7fcb807f35bbcdaef114d5699
                                                                                                        • Instruction Fuzzy Hash: 0DF05E52F1EA9E0FD666F26C28B91A81A829BD552074A02ABD548C72A6EC5859824382
                                                                                                        Function 00007FFD9B3E4B1D Relevance: .0, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6b9c9733b1a5f91b035059c0b3db69af430db2eea1da71243d0c9205831d3398
                                                                                                        • Instruction ID: 5bee9333b49913e224276f40e4bd2996b4ecf94d8fbddeaf0ad625bcd3d7cf72
                                                                                                        • Opcode Fuzzy Hash: 6b9c9733b1a5f91b035059c0b3db69af430db2eea1da71243d0c9205831d3398
                                                                                                        • Instruction Fuzzy Hash: 1B01D63090A68E8FDB54EF14C8612E97BA1FF55300F0204BEE44CC7592DA79E950C740
                                                                                                        Function 00007FFD9B3E3E50 Relevance: .0, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                        • Instruction ID: 548b24283f00ce8d36dc4d7243cf7251599fb750af4040b6411bf0b765d74a6d
                                                                                                        • Opcode Fuzzy Hash: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                        • Instruction Fuzzy Hash: A8F08C31D0560C8BD724AEA9E0003F9F7B4EF8A305F45103ED00CA2190C37A9695CB54
                                                                                                        Function 00007FFD9B3E5038 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 57ff003c9b9751d271c7af349111f5c0d5568c8fdfee56be866b24db03b722c9
                                                                                                        • Instruction ID: 7e341a9eaa0bbb7d429311d13b9f946dcc072a421d8633f9fd75b4d2f526c1e9
                                                                                                        • Opcode Fuzzy Hash: 57ff003c9b9751d271c7af349111f5c0d5568c8fdfee56be866b24db03b722c9
                                                                                                        • Instruction Fuzzy Hash: 71F01D31F1592D8FDBA4EF589860BE8B372FB85311F4045BAE01DD3295CE356D858B41
                                                                                                        Function 00007FFD9B3F4F25 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d8349ff8c0eb96d01f1011f257f21439ab05afda371e8c51335604c4d77a62bc
                                                                                                        • Instruction ID: 84de0efa77bac06b135a3785d3d51af102f6ee757b898446861164cdb31d6c06
                                                                                                        • Opcode Fuzzy Hash: d8349ff8c0eb96d01f1011f257f21439ab05afda371e8c51335604c4d77a62bc
                                                                                                        • Instruction Fuzzy Hash: D0F0E931B19A4E4FE365EB6CC5656A47BD0FF08310B4601BED448C72A2EE18ED918780
                                                                                                        Function 00007FFD9B3F32D8 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7d17d22b26265402a0a9c3b3aed0bb9855340e2917952b5ee773b950abe475c7
                                                                                                        • Instruction ID: 6148f3861c3857ca700069bdfbd194e717d29fd03f0e048d79541784c74f158b
                                                                                                        • Opcode Fuzzy Hash: 7d17d22b26265402a0a9c3b3aed0bb9855340e2917952b5ee773b950abe475c7
                                                                                                        • Instruction Fuzzy Hash: 88F05C3171AD1D4BFAB4F3685060BFA27D2EB98310F85003EE84EC22D5DD5969818340
                                                                                                        Function 00007FFD9B3E8691 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                        • Instruction ID: 2650eb45b02b4b1921ac93908ff1c5469885031a8d4d0c2a0377ef21ba89ee76
                                                                                                        • Opcode Fuzzy Hash: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                        • Instruction Fuzzy Hash: 0EF0A930D4A60E8FC724EEA4E4403FDB2B4FB0A205F41223ED00CA2190C7BA9A94CB84
                                                                                                        Function 00007FFD9B3F8FB4 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2ef2688c4dd9518b9e7037b0b9d89b07538083f1e4c4ce26bb945238696d6411
                                                                                                        • Instruction ID: d96103c2276b6eb8089ab94efd33e9c20d060f249bc916dba89a4f1e6d5ce7a5
                                                                                                        • Opcode Fuzzy Hash: 2ef2688c4dd9518b9e7037b0b9d89b07538083f1e4c4ce26bb945238696d6411
                                                                                                        • Instruction Fuzzy Hash: 50F0242630EA8D8FEBA0DA48E4D8B64BBE2FF95310F4902B8C44CC7252C635EC05C381
                                                                                                        Function 00007FFD9B3EBC4A Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b334cf7da95e3733cf569bdeec91e7465a6338e6d03d665522dfcbbf143a9818
                                                                                                        • Instruction ID: 67d9dbd412376dcf3ec71d8df42555dec28c4c19d5f327129e71e9c9b5ef5658
                                                                                                        • Opcode Fuzzy Hash: b334cf7da95e3733cf569bdeec91e7465a6338e6d03d665522dfcbbf143a9818
                                                                                                        • Instruction Fuzzy Hash: 1BF05475E2550D5BEB98F79888A5EAC73B2FFD8B40F414075E048D33A2DE296C41C701
                                                                                                        Function 00007FFD9B3FFC50 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9fdffd742e2273caf650485bc3ccf03f0401c6cb63d2bcb5225733261d35bca8
                                                                                                        • Instruction ID: ca5541ddd09dccbaf81a8bcdd9026e9ca75f753bb155cc4cdf16bf58506744fc
                                                                                                        • Opcode Fuzzy Hash: 9fdffd742e2273caf650485bc3ccf03f0401c6cb63d2bcb5225733261d35bca8
                                                                                                        • Instruction Fuzzy Hash: 62E0D83370EA488BDB58C99C24561FE7BD2E798126B10057FD14AC3211D92189158380
                                                                                                        Function 00007FFD9B405B50 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 307b0a61fe3b2d3eec30f44e3df005872ea24eb5955a7d05b6daa1614c3b77fe
                                                                                                        • Instruction ID: b17df84e35d90d5460dab6b10437f97dea01549fa605c608769f6f03bfe3457d
                                                                                                        • Opcode Fuzzy Hash: 307b0a61fe3b2d3eec30f44e3df005872ea24eb5955a7d05b6daa1614c3b77fe
                                                                                                        • Instruction Fuzzy Hash: D7E02620F1981C0FEBB8EA7C9868A3523D2EF48600B1241F6908DC32A9ED14AC024380
                                                                                                        Function 00007FFD9B3EA0A5 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2518f7dbb3e9e252e97afb31b4ddf738a159a19e7c541bbbfbf4dcdbaebe785d
                                                                                                        • Instruction ID: c9af97b2c1042ca57561ca22e480502f7b8bd1656400b9e1bd265a1f87f37da7
                                                                                                        • Opcode Fuzzy Hash: 2518f7dbb3e9e252e97afb31b4ddf738a159a19e7c541bbbfbf4dcdbaebe785d
                                                                                                        • Instruction Fuzzy Hash: E8E06131B1525D6BC755ABE8F8209EABBB0EF41320B1001FFC55DCB442CE301591C791
                                                                                                        Function 00007FFD9B3EAF5E Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c5520673c1213b5de3d69b403b85535a361aad9c03d39bcac3dea15d7bd26f4c
                                                                                                        • Instruction ID: 606dd295977faceef0b530cded5b22290d7da515907a7cb13852be4408f82635
                                                                                                        • Opcode Fuzzy Hash: c5520673c1213b5de3d69b403b85535a361aad9c03d39bcac3dea15d7bd26f4c
                                                                                                        • Instruction Fuzzy Hash: 87E0D89192F6DD5FE752A7B44C2A8947F90AF56210B4D81FBD048CF0A3E549A5068342
                                                                                                        Function 00007FFD9B3EA0A8 Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 04d728f672e98542c9cdcaec7306e50c703aa32705e37869aa86324c980aed28
                                                                                                        • Instruction ID: 30291d01d97ec6df0d22dc02c5b97d251a7ffc8f21286e51dec421fba2d59455
                                                                                                        • Opcode Fuzzy Hash: 04d728f672e98542c9cdcaec7306e50c703aa32705e37869aa86324c980aed28
                                                                                                        • Instruction Fuzzy Hash: DEE02231A1A1096BCB0ABBA4A8206E9BBA0EF00320B1001FFC42DCB086CE6425918B91
                                                                                                        Function 00007FFD9B3E8075 Relevance: .0, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9cd64fcccf6cf23728a346ad142ca9cb18e9d61e696274b4d1ae38aede437b56
                                                                                                        • Instruction ID: fb2d092526a7112c4051149bc4022136f0860696172f294e096a993bc2efeac2
                                                                                                        • Opcode Fuzzy Hash: 9cd64fcccf6cf23728a346ad142ca9cb18e9d61e696274b4d1ae38aede437b56
                                                                                                        • Instruction Fuzzy Hash: 81E0E531E1441C8ECB54EF68E851BECB7B1FF44205F4040BAE01CE3286CA7969818B00
                                                                                                        Function 00007FFD9B3F4190 Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 71f12b74848aad73503d9f4d5bd28855b41d46d53c0df62f5c17ce80b49b1101
                                                                                                        • Instruction ID: edaa2381485744a5b71ccb3da5d812e048a3bbed17fe898f09f9ac072a208ea6
                                                                                                        • Opcode Fuzzy Hash: 71f12b74848aad73503d9f4d5bd28855b41d46d53c0df62f5c17ce80b49b1101
                                                                                                        • Instruction Fuzzy Hash: 0CE09A71B1951D4EEB68EAA888657ACA7A1FF54354F50057E901DD3292CF3459428B40
                                                                                                        Function 00007FFD9B3F2993 Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d643327f8ed3088cefd99a01526bf00d37693a6cc7eca3956d5849068441945e
                                                                                                        • Instruction ID: e46881916ef9f5a25fa47a40ef57b3a0e0f44e84d6396ffab009c19fb79528d3
                                                                                                        • Opcode Fuzzy Hash: d643327f8ed3088cefd99a01526bf00d37693a6cc7eca3956d5849068441945e
                                                                                                        • Instruction Fuzzy Hash: 78D05E306092414FCB58AF28A080C80B790EF1221835509E8E0158B1E7C52ADC86CB01
                                                                                                        Function 00007FFD9B3EAB00 Relevance: .0, Instructions: 11COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e296858d045a8122cda6a7f09fe3f136c0cf456cfc99666725f3b701ed3f8ab9
                                                                                                        • Instruction ID: ce0dd545af57d3fb7a78dca4444ae7722a9eab892dd0c07ff0997ae6387a264b
                                                                                                        • Opcode Fuzzy Hash: e296858d045a8122cda6a7f09fe3f136c0cf456cfc99666725f3b701ed3f8ab9
                                                                                                        • Instruction Fuzzy Hash: 8DC08C20A3590D8BC728F76848810587690FF08200FC001F8E00CC2284D66D91504705
                                                                                                        Function 00007FFD9B401B4D Relevance: .0, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2377299778.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 69189a47295111b2928724fddd828941ea32a96ee2d75d7d16e49ad3e7651f8b
                                                                                                        • Instruction ID: cfb13b4e039ee2a966e27f16d355f65f1c42994ae237cabe8d77aef2e0a24e31
                                                                                                        • Opcode Fuzzy Hash: 69189a47295111b2928724fddd828941ea32a96ee2d75d7d16e49ad3e7651f8b
                                                                                                        • Instruction Fuzzy Hash: B4B09B72F09A4D1BEBE0965C505435553D3D7D8651705011694C9C2155FE5155435201